[fenollp]

> Some crypto funcs now randomly read an extra byte

Can someone explain how this is a feature?

[kibibu]

It's to stop people misusing the crypto APIs, or making assumptions about them that the Go maintainers don't want to be stuck supporting.

https://go-review.googlesource.com/c/go/+/64451

> Code has ended up depending on things like RSA's key generation being deterministic given a fixed random Reader. This was never guaranteed and would prevent us from ever changing anything about it.

[rauhl]

I respect agl a lot, but this really doesn’t make sense to me. Should I be able to rely on the RSA keygen being deterministic between versions, given a fixed random Reader? No. But should I be able to rely on it being deterministic between runs with the same version? IMHO, yes. This changes the signature of key generation from (Reader) to (Reader, internal random).

[ancarda]

It’s so tests don’t rely on behavior that may change. See this commit message for a full explanation: https://github.com/golang/go/commit/6269dcdc24d74379d8a609ce...

[mirekrusin]

Timing attack prevention?