fidzu : debian

Per my policies, I need to ban every employee and contractor of Anthropic Inc from ever contributing code to any of my projects. Anyone have a list?

Any project that requires a Developer Certificate of Origin or similar should be doing this, because Anthropic is making tools that explicitly lie about the origin of patches to free software projects.

UNDERCOVER MODE - CRITICAL

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...] Do not blow your cover.

NEVER include in commit messages or PR descriptions:

[...] The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution

-- via @vedolos

01 Apr 2026 4:36pm GMT

• Debian packages:
  • firmware-nonfree:
    • Bugs:
      • closed #1064620: firmware-nonfree: suggestions for the packaging, gencontrol.py and debian/rules
      • closed #1126797: firmware-intel-graphics: Please ship irci_irci_ecr-master_20161208_0213_20170112_1500.bin as ipu3-fw.bin
      • closed #1131751: ABI break in amdxdna npu firmware
    • Merge requests:
      • opened and merged !140: Update to 20260309
      • opened and merged !141: Clean up packaging (from Nicolas Boulenguez)
      • opened !142: Replace copy-firmware.sh; install files and generate metainfo.xml at build time
    • Uploads:
      • uploaded version 20260110-1~bpo13+1 to trixie-backports
      • uploaded version 20260221-1 to unstable
      • uploaded version 20260221-1~bpo13+1 to trixie-backports
      • uploaded version 20260309-1 to unstable
  • hexagon-dsp-binaries:
    • Bugs:
      • replied to and reassigned #1130844: firmware-qcom-soc depends on unavailable package firmware-qcom-dsp
  • initramfs-tools:
    • Merge requests:
      • merged !172: Use 3cpio for unmkinitramfs/lsinitramfs if available
      • merged !186: update-initramfs: support loading post-update hooks from /usr/share/ too
      • merged !190: autopkgtest: increase timeout to 240s on s390x
  • libtirpc:
    • Bugs:
      • replied to and reassigned #1132176: rpc.mountd: symbol lookup error: rpc.mountd: undefined symbol: rpc_gss_getcred, version TIRPC_0.3.0
  • libvirt:
    • Bugs:
      • replied to and reassigned #1130974: libvirt: Should use nftables for IP masquerading to work with PREEMPT_RT
  • linux:
    • Bugs:
      • replied to #1128861: linux: when serving NFS, client attempts to lock served files fail with "No locks available"
      • replied to #1130656: [grub2] wrong kernel version order
      • closed #1132224: linux: nouveau regression on GK208B/GT 730 after kernel update: artifacts and X crashes
    • Merge requests:
      • reviewed !1842: Merge kernel-wedge and use directly
      • reviewed and merged !1849: Cleanup installer
      • merged !1853: [amd64] drivers/platform/x86/uniwill: Enable UNIWILL_LAPTOP as module
      • opened and merged !1854: Fix ordering of kernel version strings for multiple Debian revisions
      • reviewed and closed !1857: crypto: padlock-sha - Disable for Zhaoxin processor
      • opened !1862: Fix regressions in debian/bin/test-patches
      • opened !1865: Draft: hyperv-daemons: Build using upstream Makefile; install hv_fcopy_uio_daemon
    • (LTS) worked on backports to 5.10 and 6.1 of the fixes for "CrackArmor" security flaws
    • Uploads:
      • (LTS) uploaded version 5.10.251-1 to bullseye-security
      • uploaded version 6.12.74-2~bpo12+1 to bookworm-backports
      • uploaded version 6.18.15-1~bpo13+1 to trixie-backports
      • uploaded version 6.19.6-2~bpo13+1 to trixie-backports
      • uploaded version 6.19.8-1~bpo13+1 to trixie-backports
  • (LTS) linux-6.1:
    • Uploads:
      • uploaded version 6.1.164-1~deb11u1 to bullseye-security
  • linux-base:
    • Uploads:
      • uploaded version 4.12.1~bpo12+1 to bookworm-backports
  • sgt-puzzles:
    • Bugs:
      • closed #363441: It's too easy to quit
      • closed #550311: slant: Please make shading of filled squares configurable
      • closed #1079717: sgt-puzzles: [Mozaic] crashes when copying the game
      • closed #1116973: sgt-puzzles: Loopy Spectres type
    • Uploads:
      • uploaded version 20250730.a7c7826-1 to unstable
  • wireless-regdb:
    • Uploads:
      • (LTS) uploaded version 2026.02.04-1~deb11u1 to bullseye-security
• Debian non-packages:
  • kernel-team:
    • added script to show status of all kernel team backports
  • pipeline:
    • Issues:
      • opened #552: piuparts job fails to install dependencies outside of main
• Mailing lists:
  • debian-kernel:
    • posted and replied to Agenda items for kernel-team meeting on 2026-03-18
    • replied to How is "keep two last kernels" policy implemented?
  • debian-lts-announce:
    • posted [SECURITY] [DLA 4498-1] linux security update
    • posted [SECURITY] [DLA 4499-1] linux-6.1 security update
    • posted [SECURITY] [DLA 4501-1] wireless-regdb new upstream version
  • linux-bluetooth:
    • (LTS) replied to [PATCH v3] Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ
  • netdev:
    • (LTS) replied to [PATCH net v2] net: consume xmit errors of GSO frames
  • stable/patches:
    • (LTS) reviewed 5.10.252 and replied to various patches included in it

01 Apr 2026 3:30pm GMT

Because I am bad at giving up on things, I've been running my own email server for over 20 years. Some of that time it's been a PC at the end of a DSL line, some of that time it's been a Mac Mini in a data centre, and some of that time it's been a hosted VM. Last year I decided to bring it in house, and since then I've been gradually consolidating as much of the rest of my online presence as possible on it. I mentioned this on Mastodon and a couple of people asked for more details, so here we are.

First: my ISP doesn't guarantee a static IPv4 unless I'm on a business plan and that seems like it'd cost a bunch more, so I'm doing what I described here: running a Wireguard link between a box that sits in a cupboard in my living room and the smallest OVH instance I can, with an additional IP address allocated to the VM and NATted over the VPN link. The practical outcome of this is that my home IP address is irrelevant and can change as much as it wants - my DNS points at the OVH IP, and traffic to that all ends up hitting my server.

The server itself is pretty uninteresting. It's a refurbished HP EliteDesk which idles at 10W or so, along 2TB of NVMe and 32GB of RAM that I found under a pile of laptops in my office. We're not talking rackmount Xeon levels of performance, but it's entirely adequate for everything I'm doing here.

So. Let's talk about the services I'm hosting.

Web

This one's trivial. I'm not really hosting much of a website right now, but what there is is served via Apache with a Let's Encrypt certificate. Nothing interesting at all here, other than the proxying that's going to be relevant later.

Email

Inbound email is easy enough. I'm running Postfix with a pretty stock configuration, and my MX records point at me. The same Let's Encrypt certificate is there for TLS delivery. I'm using Dovecot as an IMAP server (again with the same cert). You can find plenty of guides on setting this up.

Outbound email? That's harder. I'm on a residential IP address, so if I send email directly nobody's going to deliver it. Going via my OVH address isn't going to be a lot better. I have a Google Workspace, so in the end I just made use of Google's SMTP relay service. There's various commerical alternatives available, I just chose this one because it didn't cost me anything more than I'm already paying.

Blog

My blog is largely static content generated by Hugo. Comments are Remark42 running in a Docker container. If you don't want to handle even that level of dynamic content you can use a third party comment provider like Disqus.

Mastodon

I'm deploying Mastodon pretty much along the lines of the upstream compose file. Apache is proxying /api/v1/streaming to the websocket provided by the streaming container and / to the actual Mastodon service. The only thing I tripped over for a while was the need to set the "X-Forwarded-Proto" header since otherwise you get stuck in a redirect loop of Mastodon receiving a request over http (because TLS termination is being done by the Apache proxy) and redirecting to https, except that's where we just came from.

Mastodon is easily the heaviest part of all of this, using around 5GB of RAM and 60GB of disk for an instance with 3 users. This is more a point of principle than an especially good idea.

Bluesky

I'm arguably cheating here. Bluesky's federation model is quite different to Mastodon - while running a Mastodon service implies running the webview and other infrastructure associated with it, Bluesky has split that into multiple parts. User data is stored on Personal Data Servers, then aggregated from those by Relays, and then displayed on Appviews. Third parties can run any of these, but a user's actual posts are stored on a PDS. There are various reasons to run the others, for instance to implement alternative moderation policies, but if all you want is to ensure that you have control over your data, running a PDS is sufficient. I followed these instructions, other than using Apache as the frontend proxy rather than nginx, and it's all been working fine since then. In terms of ensuring that my data remains under my control, it's sufficient.

Backups

I'm using borgmatic, backing up to a local Synology NAS and also to my parents' home (where I have another HP EliteDesk set up with an equivalent OVH IPv4 fronting setup). At some point I'll check that I'm actually able to restore them.

Conclusion

Most of what I post is now stored on a system that's happily living under a TV, but is available to the rest of the world just as visibly as if I used a hosted provider. Is this necessary? No. Does it improve my life? In no practical way. Does it generate additional complexity? Absolutely. Should you do it? Oh good heavens no. But you can, and once it's working it largely just keeps working, and there's a certain sense of comfort in knowing that my online presence is carefully contained in a small box making a gentle whirring noise.

01 Apr 2026 2:35am GMT