Post Syndicated from corbet original https://lwn.net/Articles/972680/

The Go Blog has a detailed
article on the new, more secure random-number generator implemented for
the 1.22 release.

For example, when Go 1.20 deprecated math/rand’s Read, we heard
from developers who discovered (thanks to tooling pointing out use
of deprecated functionality) they had been using it in places where
crypto/rand’s Read was definitely needed, like generating key
material. Using Go 1.20, that mistake is a serious security problem
that merits a detailed investigation to understand the
damage. Where were the keys used? How were the keys exposed? Were
other random outputs exposed that might allow an attacker to derive
the keys? And so on. Using Go 1.22, that mistake is just a mistake.