search

in-toto / specification

Specification and other related documents.
https://in-toto.io
MIT License
40 stars 26 forks source link

pattern matching syntax for artifact rules is undefined #71

Closed lukpueh closed 1 year ago

lukpueh commented 1 year ago

[from the X41 specification and source code audit]

Section 4.3.3 of the in-toto specification specifies a "pattern" for the artifact rules, but only describes them as "bash-style wildcards" and does not further define the pattern matching syntax.

The Python implementation of in-toto uses the fnmatch module for pattern matching, while the Go implementation uses a customized version of the filepath.Match function.

The Python and Go functions differ in the way patterns are applied, for example regarding escaping and negated sequence matching.

Solution Advice X41 recommends to describe the pattern syntax in the specification, or to refer to a specific version of a third-party pattern syntax definition, such as IEEE Std 1003.1-2017, 2.13.1.

The Python and Go implementations should implement the same pattern matching syntax.

joshuagl commented 1 year ago

IEEE/Open Group 1003.1-2017 is the POSIX base specification, i.e.; "IEEE Standard for Information Technology--Portable Operating System Interface (POSIX(TM)) Base Specifications, Issue 7"

AFAIK, and I don't have access to the published spec because it's behind a paywall, the referenced XCU section is the shell pattern matching notation as used in fnmatch(3), that is glob(7) pattern matching rules.

We standardised on glob-style pattern matching for PATHPATTERN in TUF in theupdateframework/specification#174.

adityasaky commented 1 year ago

We use the same in the reference implementation. I'm open to clarifying in spec before or as part of #75 (and bring other implementations in line separately).

adityasaky commented 1 year ago

Closed by #75