Unclear what asterisk means in delegation paths

[heartsucker]

For delegations, some examples seem to use a directory structure where foo/ means foo/bar/, foo/baz, and recursively everything under them. Other examples use what appears to be Unix style globbing like /foo/*.bar which would match foo/baz.bar and so on.

The spec should not actually specify either but say that a TUF implementation could use:

• A directory structure
• Regex
• Unix globbing
• Anything so long as it is well define and the server/client can agree on the method of representing delegated paths

[joshuagl]

https://github.com/theupdateframework/specification/commit/6fffd3696eaf5fe86cb6ec7d132898a47b0c1bbf specified that PATHPATTERN wildcards are glob-like. This old issue, that I found this morning in the python-tuf repository, suggests the specification should not define how PATHPATTERN wildcards should behave, only that they should use a well-defined and agreed on (across the TUF using application) method of representing delegated paths.

[mnm678]

In general, I support leaving the specification flexible, but in this case I'd hesitate to leave it up to implementations as it could be confusing to users. The matching method can significantly change the scope of a delegation, and I think in this case clarity is the most important.