pattern matching syntax for artifact rules is undefined

[lukpueh]

[from the X41 specification and source code audit]

Section 4.3.3 of the in-toto specification specifies a "pattern" for the artifact rules, but only describes them as "bash-style wildcards" and does not further define the pattern matching syntax.

The Python implementation of in-toto uses the fnmatch module for pattern matching, while the Go implementation uses a customized version of the filepath.Match function.

The Python and Go functions differ in the way patterns are applied, for example regarding escaping and negated sequence matching.

Solution Advice
X41 recommends to describe the pattern syntax in the specification, or to refer to a specific version of a third-party pattern syntax definition, such as IEEE Std 1003.1-2017, 2.13.1.

The Python and Go implementations should implement the same pattern matching syntax.

[joshuagl]

IEEE/Open Group 1003.1-2017 is the POSIX base specification, i.e.; "IEEE Standard for Information Technology--Portable Operating System Interface (POSIX(TM)) Base Specifications, Issue 7"

AFAIK, and I don't have access to the published spec because it's behind a paywall, the referenced XCU section is the shell pattern matching notation as used in fnmatch(3), that is glob(7) pattern matching rules.

We standardised on glob-style pattern matching for PATHPATTERN in TUF in theupdateframework/specification#174.

[adityasaky]

We use the same in the reference implementation. I'm open to clarifying in spec before or as part of #75 (and bring other implementations in line separately).

[adityasaky]

Closed by #75