Slashdot Mirror

You might as well complain about any library written in any other language that any Rust program links to. As a complaint it makes no sense. What surprises anyone that worse tools are used to build better tools. This has been true for the entire history of software development. What will you argue next? That C isn't really C because actually it's all machine code in the end, and that machine code isn't really machine code because that's not how the processor works internally?

The question was what language is Rust written in. The answer is that it's written in Rust.

You are dead wrong though

Microsoft has shown you a study which backs my claims. One of their specific recommendations is that they need to move to languages with better memory safety (like Rust).

Show me a study which backs your claims.

To say this is the fault of C and C++ is disingenuous.

Read the slides from the talk. They specifically mention C++ as a problem to be solved. And they're right.

C++ allows you to write safe code, much safer than C.

The probelem is C programmers calling themselves C++ programmers when all they're really doing is using a C++ compiler to write C.

To say this is the fault of C and C++ is disingenuous.

Read the slides from the talk. They specifically mention C++ as a problem to be solved. And they're right.

This electron "app" uses v86 which is an x86 emulator inside the V8 javascript engine (which does 99% of the "work" here). If you want to see live demos, check out https://github.com/copy/v86/. They've got Windows 1.01, Windows 95 and Linux 3 demos that run right in your browser.

Except Canvas is AGPL licensed.

https://github.com/instructure...

  Sure, you'll loose those nice integrations with Big Blue Button (conferences tool), some of the Speed Grader stuff, the equation editor, the "record from webcam" function in the HTML editor, etc. since those are licensed services or hosted via 3rd party contracts, but you can also replace them yourself.

Strangely, what the college I work for pays for Canvas hosting and support (not a license fee) is about what we paid Angel/Blackboard for license and hosting, but the software is better and our support experience is better AND we get a LOT more resources.

On obtaining a better understanding of suicide, the below is from a book review I put here: https://github.com/pdfernhout/...

====

Out of the Nightmare: Recovery from Depression and Suicidal Pain
by David Conroy
https://www.amazon.com/Out-Nig...

"Out of the Nightmare. An all-out assault on the barriers that stand between you and recovery from depression and suicidal pain. decomposes recovery from depression into recovery from envy, shame, self-pity, grandiosity, fear, stigma, social abuse, and the double binds and vicious circles of the mythology of suicide. A drug-free approach to getting better and staying better. This book provides counselors with a bold new non-technical framework that is free from the prejudices that deter the suicidal from seeking help. It provides those who have lost a loved one to suicide with a broad array of new conceptual tools to understand the tragedy and to find help for stuck positions of bereavement. Most importantly, it provides all those who suffer from depression with hundreds of resources to find their way out of the nightmare."

A suicide by an employee or within the families of employees touches many lives and can significantly impact productivity. Along with advice for suicidal individuals, the book includes suggestion for first responders, counselors, friends, and those who sadly are survivors of someone else's suicide. A major focus of the book includes deconstructing harmful ideas surrounding how people often think about or respond to those who have suicidal ideation and suggesting a more effective way of thinking about suicide prevention called the aggregate pain model.

Some key ideas from the book are summarized here:
https://www.metanoia.org/suici...

"Suicide is not chosen; it happens when pain exceeds resources for coping with pain. That's all it's about. You are not a bad person, or crazy, or weak, or flawed, because you feel suicidal. It doesn't even mean that you really want to die - it only means that you have more pain than you can cope with right now. If I start piling weights on your shoulders, you will eventually collapse if I add enough weights... no matter how much you want to remain standing. Willpower has nothing to do with it. Of course you would cheer yourself up, if you could. Don't accept it if someone tells you, "That's not enough to be suicidal about." There are many kinds of pain that may lead to suicide. Whether or not the pain is bearable may differ from person to person. What might be bearable to someone else, may not be bearable to you. The point at which the pain becomes unbearable depends on what kinds of coping resources you have. Individuals vary greatly in their capacity to withstand pain. When pain exceeds pain-coping resources, suicidal feelings are the result. Suicide is neither wrong nor right; it is not a defect of character; it is morally neutral. It is simply an imbalance of pain versus coping resources. You can survive suicidal feelings if you do either of two things: (1) find a way to reduce your pain, or (2) find a way to increase your coping resources. Both are possible."

One of the fundamental challenges in an organization or society is to destigmatize asking for help to avoid the classic dillema those with suicidal thoughts face when they expect asking for help will only increase their pain from whatever reactions occur -- such as job loss or being ejected from a university community. By reconceptualizing suicide as an involuntary action that occurs when total pain exceeds resources for coping with pain, David Conroy provides a morally neutral way for organizations and society to think about suicide prevention in a productive way. Rather than focus mainly on intervening in a crisis, organizations can rethink their operations to reduce participant

Nah they're just saying the same old shit, and automation has made it boring

Someone should suggest this project adopt Contributor Covenant Code of Conduct.

So the worst offenders are becoming more PC because they don't feel totally free to say any old shit anymore.

Nah they're just saying the same old shit, and automation has made it boring

Name a SINGLE phone that actually supports using GSI

Google's Pixel phones are the obvious examples, as they're designed for easy user unlocking. But any of the phones listed here or here can also be unlocked, and many of them like the recent-ish OnePlus, Xiaomi, and Huawei phones are easy to flash GSIs to. Other compatible phones may require root first, like with any pre-GSI custom rom. And any unlockable phone shipping with Android 8.0+ can run any of the many GSI roms - regardless of the vendor's (lack of) updates.

Bonus Points if you can name a phone where the OEM took the time to update a pre-8 device to treble...

Better, here's a whole list.

Android, as well as the rest of the mobile space, is not meant to serve the user: it's meant to serve handset manufacturers, carriers, and app developers, and content providers, everyone except the user.

Hence the custom ROMs. They give control back to the user. At this point the general public really should be saying: "No custom ROM support? No sale." and sticking by it. It's what I do. Especially now that we all know with absolute certainty just how much data these things are meant to collect us, and how irresponsible they are with that collected data.

The next time you buy a phone, look at the support pages for the custom ROM you wish to use and pick a device from their supported list. Alternatively you can choose a Project Treble device like the ones listed here. Those will work with any GSI, or Generic System Image, that you can get your hands on and should be how things will work moving forward. Personally, I'm using a Moto G6 currently. Don't be afraid to ask on XDA if you have questions or need help either.

I'll get another mobile device when it actually feels like mine, not something that seeks to abuse and exploit me at every opportunity.

Ownership comes with responsibility. That responsibility starts with you choosing a device you can actually call your own. The groups you indicated cater to the irresponsible because it makes them the most money, and try to force everyone else to be irresponsible as well to further bolster their profits. Don't let them do that. To you or anyone else you know. It may be painful to do so, but it's part of being responsible.

This weak DNT bullshit is unenforceable. There is no technical reason that DNT must be honored, and we know that in the wild west world wide web that there are no laws. The only option right now is for us to continue an arms race with hosts files, blockers, and RBLs.

Web browser are application for end-users, not money machines for Google. If browser don't serve people, they will quit using them!

Or bitcoin multi-sig.

However, there still has to be money there to use it, and it appears there is none.

Many of these assistants are, potentially, spying on you via "smart" speakers. There is a pretty good idea floating around called Alias:

https://github.com/bjoernkarma...

To goal is the get control back from your smart assistants.

> It's alive and well server-side. It's dead on the desktop because it's dreadful, slow, memory-hungry and extremely annoying each time Oracle forcibly imposes things that break legacy applications.

So, it's not dreadful, slow and memory hungry / annoying on servers ?

Somewhat offtopic, but as a systems guy, I really have when people put absolute shite on servers just because the boss is rich and can afford to stick 32 gb of RAM in it.

Developers are even worse nowdays. For example, software like this (its' a restapi documentation generator):
https://github.com/tmcw/docbox

Takes approx 120 mb of disk space to be installed (3rd party packages). This 'software' can be coded in 100 kb of code, why the fuck does it download 120 mb of 3rd party packages ?
That's developers. Oh, there's a package for that functionality we need, but the packages has ton of other stuff too... never mind, just use it... hard drives are cheap. Not to mention security implications of using 30 different packges full of crap coded by 30 different people. In Javascript and PHP world, you'll see this as normal.

wait, what year is this? .NET & C# _are_ cross-platform _and_ open source.

https://github.com/dotnet

Firefox added group policy support with the release of ESR version 60, including official templates.

You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.

The paper is on sci-hub.tw. The DOI is 10.1126/scirobotics.aau9354. The source code is at https://github.com/rjk2147/Tas....

"But, yes, I'm assuming competence. When it comes to statisticians at Google, that's an eminently reasonable assumption."

You're also assuming honesty & good will. When it comes to leadership at Google, that's an eminently unreasonable assumption.

(Note: In this reply, I'm assuming that you are interested in an actual conversation about this topic, and are willing to logically evaluate an opposing point of view. If that's an unreasonable assumption, you can just stop reading now. Otherwise, know that I'm also willing to logically and honestly evaluate counter arguments. This topic is personally important to me.)

It's not unreasonable at all to assume honesty and goodwill, but let's ignore that. Honesty and good will need not be assumed if motivation is sufficient, and Google's motivation here is clearly to thoroughly anonymize the data.

In general, Google is has no interest in disclosing information about users... indeed Google's most important business model is based completely on not disclosing information about users. I challenge you to find any evidence of Google selling identifiable private data. To anyone. Ever. (No, Google didn't participate in PRISM. Snowden's documents show that the NSA was tapping fiber between Google data centers. Google's response was a crash program to encrypt everything. Google spent millions to avoid leaking to the government, rather than selling to them.) This isn't to say that no one at Google makes mistakes -- there have obviously been some. People are fallible. On the other hand, Google pioneered the transparency report and the notion of making users' data available for downloading and deletion. And Google has invested heavily in research into and tools for really strong anonymization. (For example.)

I understand that the way Google collects data about people bothers you. It bothers me, too, though not as much as it bothers many people, for a couple of reasons that I'll go into if you're interested. I actually spend a portion of my working day on preventing Google (and others) from being able to collect data from Android users (with the complete support of my director, VP and SVP, and without any real pushback from the teams I'm blocking -- as soon as I point out the risk, they agree and back off). But what you're talking about here isn't about collection, it's about disclosure... and when was the last time you saw an article about data disclosed by or leaking from Google? The only one I can think of is the G+ APIs which overshared. And note the thoroughness of Google's response to the discovery of that problem (no, the API problems aren't the whole reason for shutting down G+, but they were the proximate cause).

Finally, given the target audience of this data, it seems highly unlikely that they would be interested in buying identifiable data, even if Google were interested in selling it. Also, note that having made public statements about the anonymous nature of this data, Google is legally obligated to ensure that's true, or be subject to lawsuits and fines from both citizens and regulators. People at Google would have to be really dumb to expose themselves to that risk.

Bottom line: Google has zero interest in disclosing identifiable data about user movements, and lots of PR and regulatory reasons not to do it. I assert that Google employees also have a deep and abiding altruistic interest in not disclosing identifiable user data, but even if that weren't true, the self-interested reasons are sufficient.

This update broke my tabs-on-bottom userChrome.css settings.

What was only about 6 lines of code now seems to require a lot more effort - see this github for example code.

What extensions do you want to use that still aren't updated and have no alternatives?

Keybinder does not work with Firefox 57 or later, and the feature that it relied on (XUL keymaps) has no counterpart in WebExtensions because of bug 1325692.

I'm waitng for PHP Desktop to become the new Java.

Signal. When you text or call someone that has the app, you get seamless end-to-end encryption by default. When you text or call someone that doesn't have the app, it automatically reverts to conventional SMS or phone calls. So in that sense, it's a very streamlined app, since you can talk to people with and without the app just as easily, and automatically "upgrade" your conversations to full encryption when your friends download it.

The app itself is quite good in my opinion, and works on both Android and iOS. The desktop version is kinda quirky (at least on Linux), and sometimes takes forever to start up, but it works OK. Both the frontend and backend are open source.

Like ReactOS... it's a hobby project. A huge one with thousands of developers, but a hobby project.

You are greatly overestimating the number of contributors to ReactOS. They have 38 contributors with more than 100 commits and only 55 with more than 10.

The effort would be so much better off elsewhere (e.g. an open-source VMWare that does half what VMWare can do in terms of desktop integration!),

You mean like the open-source VirtualBox and QEmu?

But no virtual machine technology is going to solve our societies utter dependency on Windows. Take away Windows and everything grinds to a halt: no more loan at your bank because the software for that runs on Windows, half the ATMs down, gas pumps too, cashiers at a significant fraction of the supermarkets revert to paper, and in a number of states no election anymore, etc.

And yet there is only one supplier. That would be totally unimaginable for oil, steel or most other critical resources. That's what makes Wine important: it is the only alternative Windows API implementation.

https://github.com/jjuran/metamage_1/issues/4

Hey cool, cheers Mandrel. I like the spirit of DevWheels, thanks for the link. I think the execution might be a bit too wordy, with all the bullet points, caveats and instructions etc. I prefer simple things :)

For developers who build on top of other people's code rather than rolling their own from scratch all of the time, it makes sense that there should be a clear and obvious way for dependency authors to be paid as well. Perhaps a key aspect of a PML could be that licensing only applies to end-user products or server applications. If you're using another author's PML licensed work as part of your own PML library, what you'd do is basically nothing. The other author's code source files remain alongside yours. Downstream products using your library are obliged to pay the other author + you, so they should have two *.pml receipts in their source tree. Simples. Perhaps as a courtesy if components end up with a bunch of PML dependencies, the readme should list them in bullet point form so "consumer" developers don't have to go fishing through every file in the source tree. Or something like GitHub will have already scanned the source tree and have PMLs listed in the clear up front.

Where it all falls apart is when an upstream author drops off the face of the planet and companies can no longer get a license. There's a gap there for GitHub or some company to provide a simple and familiar licensing experience and collect licensing fees in trust. So the purchase link becomes something like: https://github.com/sichbo?pml=.... And there's a tidy little familiar form so you just tick what you need, pay the bill, and receive your *.pml file and get on with life. Maybe throw on a deadman's switch such that *.pmls are issued for $0 when the original author is no longer able to accept payment (destination bank account closed) and a payment transfer issue isn't resolved after 12 months or whatever.

You make some valid points, but..

because we think people should be able to do what they want with their devices.

You should add the caveat, - "as long as Google can mine the users data". That is the only thing Google really cares about.

It's really not.

First, let me make clear that I work on Android. This is completely separate from the Google Apps. From my team's perspective, Google is just another app developer (though obviously a very influential one).

The Android system provldes no special access to Google. None whatsoever. If you want to scoff, please point me to the Google-data-mining hooks in AOSP.

Further, Google's apps are not special to Android. They cannot get any data from any other apps that don't choose to share it with them. That said, the Google suite of apps is very comprehensive, and users do tend to use a lot of them, and nearly all of their personal data does flow through them. Mail, contacts, location services, browsing, etc.

OTOH, it's also a very broad, deep and high-quality set of services, for which users pay nothing, in dollars. The deal is you trade the ability for Google to target ads to your eyeballs in exchange for all of that. If you think that's a bad deal, you're completely free to opt out. Buy an unlockable device, unlock it, remove all the Google apps, use a different search engine, don't use gmail, etc.

(Yes, I recognize I'm being a little disingenuous here. Most people couldn't actually do what I describe. But it is possible, and many Google engineers put in a lot of extra work to make sure that it continues being possible.)

In a sense, allowing vulnerabilities means that there's competition to get to the data.

No... we do not consider attackers who exploit vulnerabilities to be in any way "competition". Facebook is competition, as are other app developers who build tools that attract a lot of user data and then advertise to users.

It makes sense in other contexts too as to why Google is never going to allow users to encrypt the Inbox.

You certainly can do it if you want. GMail has full IMAP4 and POP3 interfaces, and you can use them with mail clients that support S/MIME or OpenPGP. Yes, I'm also disapointed that the Google end-to-end encryption project has died. I don't know why that happened, but I suspect that it was lack of executive support, probably for exactly the reasons you postulate: it undermines the business model that pays the bills -- including for the operational costs of GMail.

Anyway, my point is that your claim is wrong. Google does allow you to encrypt the inbox... Google just doesn't encourage it. A different sort of company would ban it.

We don't mind you guys fixing vulnerabilities, or even employing dark patterns across your products, or even trying to trick people to use your products - Hey, its a tough world out there. Its only when you cloak your actions under altruism that we find it reprehensible.

There actually is a huge amount of altruism at Google. it's not a cloak, it's reality. Of course, it's sometimes in tension with the need to generate profits, but less often than you might think. Generally, if you build something that hundreds of millions or billions of people want to use, there's some way to make it generate revenue -- which is good because running such massive services is expensive.

For me, personally, making Android secure is as much about improving the world as it is about getting a paycheck. I could get paid to do a lot of things. Few of them would be as rewarding as what I do.

I was gonna say the same (although I haven't) - I had some fun with https://github.com/StreisandEf... a while back - it's very good :-)

As for TFA - the list of VPNs is here: https://www.top10vpn.com/free-... I can't say I'd heard of any of them.

I managed to find the sources of where does my vague remembering of MIDI joysticks comes back from....

Sidewinders never used MIDI.

They did, the force feed-back is sent as MIDI messages.

Instead, they did what everyone else did, and they used the second joystick inputs to add additional features. That gave two more button inputs plus two more axes, so even without doing anything tricky you could implement four buttons and four axes.

...which would still limit you to 4 axises and 4 buttons. Going exclusively from the joystick to the PC.

Sidewingers rely on MIDI-out for force feed-back (sending information from the PC to the Joystick).

(Meanwhile, Logitech ADI protocol relied on rhythmically querying the port in some pseudo-morse-like patterns to trigger behaviors)

But by using the four button signals to make a binary number, you could either send four-bit numbers synchronously, or three-bit values asynchronously. I believe both approaches were used, but I'm not 100% on that.

Several joysticks used "buttons" to encode the HAT position. "CH Flightstick Pro" used that. (If button 1 and button 2 signal both "pressed", that actually means the HAT is actueated, and button 3 and 4 encode a 2-bit number telling which cardinal direction is beting pointed at).

Some did try to encode digital informations on analog channels "Thrustmaster FCS" used that instead: while the analog 3rd axis is simply the throttle, the 4th axis jumps to specific position on the axis, depending on which direction the HAT is currently pressed.

These where apparently popular methods, because other stick tried to be compatible with these. Some MS-DOS simulators can recognize this kind of sticks and use them directly in the game without requiring any 3rd party driver.

Fun fact: when in analogue mode, the Logitech Wingman Digital can select whichever of the 2 above methods you'd like.

(or Logitech ADI specific drivers can send the correct "pseudo-morse-like probe" and request the joystick to switch into ADI mode, at which point it completely drops any backward compatibility and starts speaking its own digital protocol end sending packets using 2 buttons signals. But that requires specific drivers and is thus only available in Windows or Linux. Old classic MS-DOS games cannot use that)

I've found the VPN section on That One Privacy Site to be quite an informative resource. There's a lot of information from Choosing A VPN up to a detailed comparison chart.

My use case: I don't care about LE nor intelligence agencies; I just need a reliable VPN for those times when I have to connect via an "insecure network" (as in hotel Wifi), and for that I simply installed OpenVPN on a VPS, created some certificates and installed them on my devices. Works like a charm, and if needed I can spin up a new VPS and install everything within minutes using a script like openvpn-install. And if one prefers to run an IPsec VPN server there's Algo VPN, a set of Ansible scripts that helps with the setup.

I've found the VPN section on That One Privacy Site to be quite an informative resource. There's a lot of information from Choosing A VPN up to a detailed comparison chart.

My use case: I don't care about LE nor intelligence agencies; I just need a reliable VPN for those times when I have to connect via an "insecure network" (as in hotel Wifi), and for that I simply installed OpenVPN on a VPS, created some certificates and installed them on my devices. Works like a charm, and if needed I can spin up a new VPS and install everything within minutes using a script like openvpn-install. And if one prefers to run an IPsec VPN server there's Algo VPN, a set of Ansible scripts that helps with the setup.

I have added your lines to my "Firefox telemetry and data collection denial" user.js script.

I recommend everyone use the following settings for their user.js:
https://gist.github.com/MrYar/...

He didn't suggest that the Java wasn't maintained due to backwards compatibility issues. He just said it wasn't maintained or was reimplemented.

If it was like many other places, it was simply because it's a bigger pain to read and maintain Java, generally speaking.

It was one of those why I bitched about HTTPS Only ... and seemed to be the only person who complained about it:

https://github.com/GSA/https/i... ... but I'm actually surprised that these websites are up at all. In 2013, we were told to take down all servers that weren't necessary for the protection of government property or human life, because we wouldn't be able to monitor them if someone were to hack them. I had a couple that were serving space weather data, and had to deal with being 'essential on-call' or whatever that horrible designation was.

I'm glad I don't have to deal with crap like this any more ... unfortunately, the group that I get paid through now gets most of their money through NSF, so I can work on my grant, but won't be able to get my invoices paid after mid-February.

Oh ... and the certs in question use the Department of Commerce CA, but most browsers (all except MSIE?) don't trust them.

Let's Encrypt is bad, but it's still better than the self-signed crap that the feds keep deploying.

But I'll still count this under #3 of why I said this was a bad idea: https://github.com/GSA/https/i...

Just wondering if anyone has experience with a roll your own system using RTSP cameras. Any cheap cameras you can recommend that are usable without sending data to the cloud? I tried my hand hacking a couple of the cheap XiaoFang cameras ( https://github.com/samtap/fang...) but haven't been successful to date.

Would love 2-3 such low powered cameras I could get to record locally using VLC or similar. Just a basic set-up.

Have fun finding all the potential bugs in this function.

https://www.qualys.com/2019/01... :

2018-11-26: Advisory sent to Red Hat Product Security (as recommended by
https://github.com/systemd/sys...).

2018-12-26: Advisory and patches sent to linux-distros@openwall.

2019-01-09: Coordinated Release Date (6:00 PM UTC).

Neat idea, i have seen tools like that a few times a few years back. One other tool has a cute and fitting name for this relay proxy idea. Its called KoiPhish lol : https://github.com/wunderwuzzi...

All of this stuff is off the shelf components. It is the absolute standard stuff that anybody that plays with RC gear uses.

All the flight control and way point planning is done via iNav - https://github.com/iNavFlight/...
Flight controllers are ~$20-$50 off ebay
The radio receivers are generic, $20 items.
GPS module is $20

It is all done in the 2.4g band. There isn't anything to detect, parse or cross reference. It's all consumable crap made for peanuts in china. There is nothing special about anything I'm using. The radio I use is an FrSky taranis which has millions of sold units and is the number 1 most popular radio in the hobby.

Displays now update the charges on the liquid crystals many times faster than the crystals themselves can update.

That's been true ever since the beginning of dot matrix LCDs in consumer devices. The original Game Boy compact video game system updated its 2.6", 160x144 pixel, 4-level passive matrix super-twisted nematic (STN) LCD panel at 60 Hz, but the display had so much "ghosting" (motion blur) that a lot of games ran at 30, 20, or even 15 fps just to let the LCD catch up. Game Boy pocket didn't improve response time but was nonetheless a bit easier to see because of better overall contrast. Pixel response times as measured with the homebrew 144p Test Suite didn't improve noticeably until Nintendo switched to TFT displays starting with Game Boy Color.

GHIDRA does not appear in the web https://code.nsa.gov/ .

What is the difference between below?

https://github.com/nsacyber
https://github.com/nationalsec...

Which either above is the oficial page for releasing GHIDRA?

Can GHIDRA support RISC-V? And Intel/AMD/ARM?

GHIDRA does not appear in the web https://code.nsa.gov/ .

What is the difference between below?

https://github.com/nsacyber
https://github.com/nationalsec...

Which either above is the oficial page for releasing GHIDRA?

Can GHIDRA support RISC-V? And Intel/AMD/ARM?

Oh, and it intentionally doesn't compress the XML file and does pretty-print it on output, so it works better with things like git.

i also use password hasher plus for sites, to generate random passwords/key based on a master password and site info ... you only need to backup the password/key to restore the passwords

Google was working on this a few years ago with the e2email project, but eventually canceled it--erm, I mean, moved it out to "community support." While I know that a lot of people think it was because it would get in the way of advertising, the project included a brutally honest threat assessment. I use it as an example of a thorough threat analysis as it's fairly lengthy but covers just one browser extension, not an entire browser, OS, or networking environment.

I created a fork from that. I think it is a little more up to date, includes hardening not done by pyllyukko and blocks all the recent telemetry.

https://gist.github.com/MrYar/...

Could you post or link your user.js here?

Check out this for user.js -- Firefox configuration hardening tips. I pulled some from here and others from simply Googling "firefox disable ____________" after a new release when some dumb crap -- I mean feature -- was noted in a review somewhere or in the Release Notes.

Why Yet Another Crypto Library instead of a more widely used one?

If you're referring to DSS then they probably mean that the bug bounty applies to the esig library or the standard it is based on. It's a convenient tool for applying and verifying EU-compliant document signatures (PDF, XML, ASiC) throughout EU institutions.

A contrived use case could be that you want to sign a legally binding contract with a Spanish bank to own a summer house, but you authenticate yourself with your Finnish bank, and the Spanish bank has outsourced the signing service to a company located in the Netherlands. But anyone involved can validate the signed document and see who were involved.

Python has homoiconic macros and multiple dispatch generic functions these days? Also, did you look into the source code?