What exactly is the meaning of metadata.supplier?

[andreas-hilti]

https://cyclonedx.org/docs/1.6/json/#metadata_supplier
specifies

The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.

i.e. it makes a statement about the component itself not about the BOM. However, in line with this:
#346
I believe that the properties in metadata should be about the BOM and not the component. In addition, there is already a supplier property on the component:
https://cyclonedx.org/docs/1.6/json/#metadata_component_supplier

Thus, in my opinion either the meaning should be changed to

The organization that supplied the BOM. [...]

or it should be deprecated in favor of component.supplier.

[jkowalleck]

@CycloneDX/core-team agrees on that, too.
But we cannot simply change the meaning of an existing field. see #379 (comment)
We could deprecate the existing $.metadata.supplier in favor of $.metadata.component.supplier,
and we could add a new field to $.metadata to represent the SBOM supplier.

[jkowalleck]

this discussion duplicates #345