## Cross-Implementation Glob Pattern Bug Exposes Verification Gap in in-toto Supply Chain Framework
A semantic inconsistency between two in-toto reference implementations — in-toto-golang and in-toto-python — creates a verification gap that could undermine artifact rule enforcement across hybrid pipelines. Both libraries support glob patterns with character class negations in layout artifact rules, but they deploy incompatible negation operators: in-toto-python recognizes `!` while in-toto-golang uses `^`. The result is that a layout authored against one implementation's expectations will produce divergent matching behavior when processed by the other.

The vulnerability surfaces specifically in environments where both implementations are deployed at different stages of the same verification pipeline. A layout created using one library's syntax, then validated using the other, will silently apply different artifact filtering logic. The in-toto project advises operators to consolidate around a single implementation throughout the full lifecycle — from layout authoring through execution and verification — to avoid this class of behavioral drift.

Patches addressing the discrepancy in in-toto-golang are referenced in the project advisory. Users operating multi-implementation in-toto workflows should audit their pipelines for mixed usage and upgrade to patched versions accordingly. The semantic gap underscores a broader risk in standards that permit implementation-specific syntax variations without enforcing strict compatibility at the specification level.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, supply-chain-security, glob-pattern, implementation-bug, in-toto
- **Credibility**: unverified
- **Published**: 2026-05-14 15:48:29
- **ID**: 83072
- **URL**: https://whisperx.ai/en/intel/83072