I'll follow up over email :)

Ok so one question would be around using resource urls, e.g. the
Debian | deb://dist(optional):arch:name:version | deb://lucid:i386:acl:2.2.49-2
I have a similar proposal for the CVE JSON format, essentially "Aliases" that are effectively a key:value store where the key is the namespace name, and the value is whatever, e.g.:

RedHat-RPM:some-rpm-1.2.3-5.el7.x86_64.rpm
github.com:grafeas/grafeas
twitter:somehandle

and so on. Each name space would have defined rules, e.g.: "full file name of RPM supplied by RedHat" or "organization or username, a slash and then repo name in github.com" for example. Generally speaking I imagine namespaces would be defined by either the "owner" of the namespace (e.g. Red Hat/Github) or by the CVE people (board or a working group I guess, details TBD) if it has enough value and the owner isn't available/interested.

My question would be why did you go with a URI format? Is it defined somewhere? Who decides the namespace names/values/rules/etc? Thanks

#65 is open for moving resourceUrl to the purl spec - #65. It seems like your suggestion is similar but different for purl. Its probably worthwhile to review the purl spec and leave comments in #65 or on the spec itself is you see issues here.

I believe for our beta version we'll adopt purl, so far there haven't been objections to that format.