Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambiguous rule set: ALLOW foo while DISALLOW * is also a rule #7

Closed
vladimir-v-diaz opened this issue Feb 8, 2018 · 1 comment
Closed

Ambiguous rule set: ALLOW foo while DISALLOW * is also a rule #7

vladimir-v-diaz opened this issue Feb 8, 2018 · 1 comment

Comments

@vladimir-v-diaz
Copy link

The following example is used in the layout creation document (see in-toto/in-toto#182):

step_update.add_product_rule_from_string("ALLOW demo-project/foo.py")
step_update.add_product_rule_from_string("DISALLOW *")

These two rules together seem to contradict each other. I personally find it easier to grok DISALLOW * EXCEPT "demo-project/foo.py" or ALLOW * EXCEPT "foo". However, I'm not familiar with in-toto's rules and why things are designed this way.
@lukpueh lukpueh mentioned this issue Apr 12, 2019
Open
@adityasaky
Copy link
Member

I'm taking a pass at our issues backlog. From https://github.com/in-toto/docs/blob/master/in-toto-spec.md#4331-rule-processing:

They operate in a similar fashion as firewall rules do. This means if an artifact is successfully consumed by a rule, it is removed from the queue and cannot be consumed by subsequent rules.

Revisiting via #4 when considering the documentation of artifact rules makes sense to me, in the meantime I think we can close this issue as the spec indicates how the scenario described here works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladimir-v-diaz @adityasaky