Mention cachi2 limitation in rpm repo id rule

It's a small fixup for c9909c4 from
a few weeks ago.

Ref: https://issues.redhat.com/browse/EC-901

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -1034,7 +1034,7 @@ This package defines rules to confirm that all RPM packages listed in SBOMs spec
 [#rpm_repos__ids_known]
 === link:#rpm_repos__ids_known[All rpms have known repo ids]
 
-Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids.
+Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created by cachi2.
 
 *Solution*: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.
 

policy/release/rpm_repos.rego

@@ -35,6 +35,7 @@ deny contains result if {
 # description: >-
 #   Each RPM package listed in an SBOM must specify the repository id that it comes from,
 #   and that repository id must be present in the list of known and permitted repository ids.
+#   Currently this is rule enforced only for SBOM components created by cachi2.
 # custom:
 #   short_name: ids_known
 #   failure_msg: 'RPM repo id check failed: %s'