A concerned user reported that one of our security tools was scanning for clipboard programs:
694472 newfstatat(AT_FDCWD, "/home/n/.go/bin/xclip", 0xc0001ab968, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/home/n/.go/bin/xclip", 0xc0002fc448, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/home/n/.local/bin/xclip", 0xc0002fc6b8, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/home/n/bin/xclip", 0xc0002fc788, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/home/n/.cargo/bin/xclip", 0xc0002fc858, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/usr/local/bin/xclip", 0xc0002fc928, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/usr/local/sbin/xclip", 0xc0002fc9f8, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/usr/bin/xclip", 0xc0002fcac8, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/usr/sbin/xclip", 0xc0002fcb98, 0) = -1 ENOENT (No such file or directory)
694472 newfstatat(AT_FDCWD, "/home/n/.go/bin/xsel", 0xc0002fcc68, 0) = -1 ENOENT (No such file or directory)
Since our program does nothing with the clipboard, I was concerned that this might be a supply-chain security attack, so we dug into the dependencies and found this library:
$ go mod graph | egrep -i 'clip|chirp'
x.dev/xctl github.com/atotto/clipboard@v0.1.4
github.com/charmbracelet/bubbles@v0.10.3 github.com/atotto/clipboard@v0.1.4
On investigation, we saw that the clipboard library causes a filesystem scan to occur on import:
https://github.com/atotto/clipboard/blob/master/clipboard_unix.go#L51-L97
It would be preferable if this filesystem scan was done as needed rather than at import, not only for binary startup performance but because it's less scary for users when they see this in system call traces.
PS - thank you for the fantastic robust library you have put together.
A concerned user reported that one of our security tools was scanning for clipboard programs:
Since our program does nothing with the clipboard, I was concerned that this might be a supply-chain security attack, so we dug into the dependencies and found this library:
On investigation, we saw that the clipboard library causes a filesystem scan to occur on import:
https://github.com/atotto/clipboard/blob/master/clipboard_unix.go#L51-L97
It would be preferable if this filesystem scan was done as needed rather than at import, not only for binary startup performance but because it's less scary for users when they see this in system call traces.
PS - thank you for the fantastic robust library you have put together.