Karolin Varner

@tushar-haldia Would you prefer I close this PR?

Sure, sounds good! And thank you for the good work @aadarsh-nagrath!

@nean-and-i You already wrote a long intro message. How about a quick mail to @aparcar 's email and to karo at rosenpass dot eu so we can follow up by...

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/biscuit.go#L8 **Severity: A (Functionality)** – Biscuit counter is 12 bytes in size; using just 8 bytes is not necessarily catastrophic. The biscuit counter is always created and consumed by the...

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/biscuit.go#L8 **Severity: 6 (Just barely acceptable)** – Biscuit implementation is not side channel resistant. Increment and comparison operations might leak information through timing side channels

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/cmd/gen_config.go#L26 **Severity: 3 (Dangerous)** – Public key hard-coded in source

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/cmd/main.go#L104 **Severity: A (Functionality)** – Path to man pages hard coded (will be incompatible with installing as a system package)

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/config/arguments.go#L83 **Severity: B (Observation)** – This (entire block of code) is surprisingly manual code; isn't it possible to formulate that sort of logic automatically?

https://github.com/stv0g/go-rosenpass/blob/d7e38ecaf9e7803f2824a03ac24ac34944a53af6/config/peer_section.go#L87-L94 **Severity: N/A** – Please explain this code section.

**Severity: 3 (Dangerous):** No zeroization is attempted. https://github.com/golang/go/issues/21865