adityasaky
commented
8 months ago After a discussion with @rdimitrov, @trishankatdatadog, and @mnm678, this is not an issue but likely deserving of some further clarification in the docs and in the TUF spec. See: https://theupdateframework.github.io/specification/latest/index.html#file-formats-targets for a description of how patterns work.
I'm going to submit some updated text to the specification, but this issue can be closed. :)
trishankatdatadog
The implementation for this helper is here: https://github.com/theupdateframework/go-tuf/blob/9d57731720841af71c5f70d590e531136e0b025d/metadata/metadata.go#L535-L554
If I'm reading this right, this helper is responsible for identifying if a delegation pattern matches a target path. However, it incorrectly says a pattern like
foo/*does not matchfoo/bar/foobar.txt. The same pattern does correctly matchfoo/foobar.txt. This is because both the pattern and the target path are split into their components using the separator, and if they don't have the same number of components, the helper returns false.See: https://go.dev/play/p/6Mswjm_fM-4