Feuerfest

gethomepage.dev: https://gethomepage.dev/assets/homepage_demo_clip.webp

homepage (GitHub) - the dashboard I use to keep an overview of all the services I run in my LAN released their 1.0 version yesterday on March 14th 2025.

With that they introduced a new parameter to limit which hosts can show the dashboard. I haven't yet read about why this was introduced, but it's fixed quickly.

As Watchtower does all the maintenance work for the containers running on my installation of Portainer I was already greeted with the following error message:

In the logfile for the container running homepage I saw the following error:

[2025-03-15T16:54:13.497Z] error: Host validation failed for: portainer.lan:3000. Hint: Set the HOMEPAGE_ALLOWED_HOSTS environment variable to allow requests from this host / port.

As I don't use a separate IP or hostname for the dashboard and just forward the port 3000/tcp towards the homepage-container I access it using the hostname of my Portainer host. Therefore this message makes sense.

Luckily the documentation for the newly required environment variable is already on their homepage: https://gethomepage.dev/installation/#homepage_allowed_hosts

Armed with this knowledge we can change the stack file (Portainers term for a docker-compose file - not to be confused with the docker swarm command docker stack) and introduce the HOMEPAGE_ALLOWED_HOSTS parameter. I added the IP-address too, in case the DNS servers in my LAN should stop working.

services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    ports:
      - 3000:3000
    environment:
      HOMEPAGE_ALLOWED_HOSTS: 192.168.178.21:3000,portainer.lan:3000
    volumes:
      - /opt/docker/homepage.dev/config:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations
      - /opt/docker/homepage.dev/icons:/app/public/icons # icons, reference as /icons/picture.png in YAML

After that just hit the "Update the stack" button and it's working again.

Photo by Jonathan Cooper: https://www.pexels.com/photo/animals-head-on-exhibition-9660890/

For years Mastodon had one prominent missing feature. You wouldn't see all replies to a toot (that's the term for "Tweet" in the Mastodon world) because of the federated nature of Mastodon. There were exceptions, but in general it means that you have to open the post on the Mastodon instance it originated from. Only then you would be able to read all comments.

Naturally this feature was sought after for years. One GitHub issue was opened in 2018 (Mastodon #9409: Fetch whole conversation threads).

Now it seems the biggest technical part has been resolved! In Mastodon #32615: Add Fetch All Replies Part 1: Backend user sneaker-the-rat did all the basic work to incorporate that functionality into the backend of Mastodon. And while he mentions that there is still work to do the Mastodon community so far seems happy that this issue is finally getting fixed providing a much smoother experience for everyone.

Photo by Tima Miroshnichenko: https://www.pexels.com/photo/a-computer-monitor-5380589/

Algorithm: Yo, look here! On the start page! A recommendation for a movie/video/song/article from a genre you've never watched/listened to/read! But it's one of our own productions!

Algorithm: Or content you've already consumed 4 weeks ago. You surely like to re-consume it again while that memory is still fresh, right?

Algorithm: On the other hand we have content you rated with a "Like" years ago. - But we completely ignore your recent interests and likes when proposing those.

Me: Uh, where is the notice about this new piece of content, which was released today, from the series I'm watching since months and always consume each new part directly on the day of its release? Do I really have to use the search?

Algorithm: Uh.. Can I interest you in some World War documentation?

*sigh* Every. Single. Time.

Folks! Don't declare your algorithm helps users finding new interesting content, when all it does is advertising.

Dall-E

Das Problem

Bekannte erhalten an ihre GMX-Mailadresse eine Mail. Diese enthält klickbare Links. Bei einem Klick landet man jedoch nicht auf der GMX-Weiterleitungsseite und anschließend auf der Seite auf die man eigentlich aufrufen möchte.
Stattdessen bekommt man die Fehlermeldung:

Ups, hier hat sich ein Fehler eingeschlichen...
Fehler-Code: 403

Bei einer web.de Adresse ist es genau so. Gut, das ist zu erwarten, da sowohl GMX als auch web.de zur gleichen Firma gehören und die Webmailer die gleichen sind. Lediglich etwas im Aussehen angepasst.

Stellt sich raus: Man verwendet nun endlich einen Adblocker. In diesem Fall uMatrix. Und uMatrix hat u.a. das Feature sog. HTTP-Referer für andere Seiten zu verbergen.
Normalerweise enthält der Referrer die Adresse der Webseite über die ich auf eine andere Webseite gekommen bin.

Suche ich z.B. auf Google nach einem Problem und klicke auf eine der Webseiten in den Ergebnissen, dann wird der Referrer an die aufrufende Webseite übermittelt. Somit kann man auswerten von wo ein Besucher auf die Webseite kam und wonach er gesucht hat. Durchaus relevante Informationen für viele Webseitenbetreiber. Aber natürlich unter Umständen ein Verlust an Privatsphäre für den Benutzer.

Daher ersetzt uMatrix den Referrer durch einen anderen Wert. Dies ist hier beschrieben: https://github.com/gorhill/uMatrix/wiki/Per-scope-switches#spoof-referer-header

Allerdings basiert die web.de/GMX Weiterleitung der Links auf dem HTTP-Referer. Da uMatrix diese Daten aber ersetzt, weiß die Weiterleitung nicht wohin sie weiterleiten soll und man erhält den Fehler 403 (welcher vermutlich für HTTP-403 Forbidden steht).

Die Lösung des Problems

Die Option das der Referer ersetzt wird nennt sich "Referrer verschleiern" und findet sich im Menü von uMatrix. Dies ist über die 3 Punkte zu erreichen.

Konkret müssen wir bei web.de dies für die Domains navigator.web.de & deref-web.de deaktivieren.
Bei GMX analog für die Domain der Weboberfläche und von deref-gmx.de.

Zuerst öffnen wir die Übersicht von uMatrix indem wir auf das Symbol von uMatrix klicken (üblicherweise rechts neben der Adresszeile).

Schritt 1: Wir ändern den Bereich auf navigator.web.de so das die Änderungen exakt nur für diese Domain gilt. Als Standard ist hier web.de ausgewählt, das wollen wir aber nicht. Also sicherstellen dass das komplette Feld blau hervorgehoben ist.

Schritt 2: Wir klicken auf das 3 Punkte Menü

Schritt 3: Wir deaktivieren die "Referrer verschleiern" Option, so das diese, wie im Bild, ausgegraut ist.

Schritt 4: Anschließend auf das nun blau hervorgehobene Schloß-Symbol klicken um die Änderungen zu speichern.

Nun müssen wir dies noch einmal exakt genau so für die Domain deref-web.de bzw. deref-gmx.de durchführen. Hierzu genügt es einfach auf einen Link in einer Mail zu klicken, so das sich die Seite mit der Fehlermeldung öffnet.

Schritt 1: Wir belassen den Bereich auf deref-web.de bzw. deref-gmx.de. Da wir hier keine Subdomain haben, ist dies bereits korrekt ausgewählt.

Schritt 2: Wir klicken auf das 3 Punkte Menü

Schritt 3: Wir deaktivieren die "Referrer verschleiern" Option, so das diese, wie im Bild, ausgegraut ist.

Schritt 4: Anschließend auf das nun blau hervorgehobene Schloß-Symbol klicken um die Änderungen zu speichern.

Nun am besten zur Sicherheit einmal den Browser komplett beenden, mindestens aber den Tab mit der web.de/GMX Weboberfläche neu laden.

Klickt man dann auf einen Link sollte der gewohnte Weiterleitungshinweis erscheinen und man nach wenigen Sekunden auf der eigentlichen Seite sein.

Photo by cottonbro studio: https://www.pexels.com/photo/people-toasting-wine-glasses-3171837/

This is an update to my previous blogpost Puppet goes enshittyfication (Updated).

I the meantime the fork has happened. It's called OpenVox (https://github.com/openvoxproject) in reference to VoxPupuli - the name of community of module maintainer, authors and various other contributors around Puppet. But as we all now know, the community is dead. At least for Perforce. Well... As long as they can't get any real money out of it anyways..

The most non-surprising part? As of now there are no officially maintained container images for Puppet anymore.

Martin Alfke's betadots GmbH took over the maintenance of the puppetserver and puppetdb container images. As Puppet by Perforce did abandon them years ago. Now with the fork happening and Puppet effectively being a closed-source software product - and depending on how it develops - little to absolutely no support from Perforce, it simply makes no sense for the betadots GmbH anymore to do the free work for Puppet by Perforce. And they did so effective immediately. Understandably.

Hence they will be maintaining the openvoxserver & openvoxdb container images.

They announced this in a post on their betadots dev.to blog, in german but translation should work well. Read it here: https://dev.to/betadots/das-neue-puppet-open-source-projekt-heisst-openvox-2330

A questionable decision...

This means that in 2025 there are no container images for Puppet with official vendor support.

And as much as I like how this shows the power of a strong open source community...

I can't find a phrase strongly worded enough to describe this utter strategic mismanagement, so just look at this picture instead:

Photo by Photo By: Kaboompics.com: https://www.pexels.com/photo/a-short-haired-woman-holding-a-pair-of-eyeglasses-4491435/

Photo by Kyle Roxas: https://www.pexels.com/photo/crackers-cheese-and-fruits-2122278/

I use LineageOS on my OnePlus 8T. Sadly I still run it with Android 11 and LineageOS 18.1. Which is quite old in 2025. My plans to update the firmware and ROM got postponed again as non-surprisingly: I need my phone.

However one of the new year resolutions I choose is to finally update my mobile so I'm not lacking behind on Android security updates for several years. *ahem*

To de-google or to not de-google?

Along with this a long-standing idea surfaced again: I want to remove as many Google services as possible without having to give up needed tools/services.

Therefore, the first question regarding updating my mobile is: Do I still want to keep using the Google Apps? Or do I want to use another suite of alternative GApps that enhance privacy at the cost of some features? Or do I want to get rid of Google's apps altogether?

Depending on the choice, I can only use some (or all) Google Apps.

The rule of thumb is: The more functionality you need, the more you are paying with your data. The less privacy you have.

On a normal Android phone, the Google apps (YouTube, Maps, Wallet, etc.) are almost always pre-installed. Contrary custom ROMs often can't pre-install these, as a) Google doesn't allow this, and b) nowadays ROM developers know that users choose an alternative ROM to gain more control over their digital life and therefore explicitly want to disable some (or all) features related to Google's services and apps.

Alternative Google apps packages: The agony of choice

For this, several Google Apps packages exist. All vary in features and what they try to accomplish.

The big three in this field are:

• MindTheGapps
• MicroG
• OpenGApps

MindTheGapps

Currently I am running LineageOS with MindTheGapps. Which is their current standard (LineageOS Wiki). MindTheGapps uses the proprietary Google services/packages. It just servers as an installer for the official Google packages. This means you can use the Google Play store, Google Maps, every method of authentication with Google Firebase (more relevant than you might think), and the SafetyNet (here is a good site with a presentation, whitepaper & lectures about SafetyNet - also known as DroidGuard) feature on which banking apps often rely. Among all other Google services.

The downside? Google happily leeching as much data from you as they do.
But helpful if you just want a custom ROM and no hassle with non-working apps.

MicroG

A viable alternative is MicroG. MicroG is, to quote the project itself, "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." This means MicroG is a redevelopment to match the functionality while keeping privacy-harming features out. This also means that privacy-focused ROMs like CalyxOS include them and allow users to choose if they want to activate them.

There is an overview about the implementation status of each feature in the MicroG apps: https://github.com/microg/GmsCore/wiki/Implementation-Status. And it also serves as a good example: In MicroG, two Firebase authentication methods are currently not supported. This means if an app you use only uses these two methods, you won't be able to sign in. It's generally advisable to check your important apps if they work with MicroG or not.

The neat thing is that MicroG uses signature spoofing to present itself as the Google apps. Additionally, the long-standing issue with allowing signature spoofing in LineageOS has been fixed recently. This means that if MicroG is installed via F-Droid and the app package is signed with the signature from the MicroG development team, LineageOS allows MicroG to spoof the signatures. Which eliminates many long-standing issues.

The neat thing is: This allows us to simply install MicroG via F-Droid and be done with it. No more incorporating the MicroG image during the flash process.

Information about their F-Droid repository can be found here: https://microg.org/fdroid.html

Please, only install MicroG from their own repository. Don't install it from the PlayStore or other GitHub repositories. It's common to find Malware posing as the official MicroG package. One such example is documented in this Reddit-Thread: https://www.reddit.com/r/MicroG/comments/1icxc8h/malware/

And here is an interview with the MicroG developer about how it all came to be: https://community.e.foundation/t/microg-what-you-need-to-know-a-conversation-with-its-developer-marvin-wissfeld/22700

OpenGApps

Honestly, I still did know this project from when I first flashed my phone. And it was the first project I had a looked after. But sadly it seems that development is currently very slow.

The last news post is from August 23, 2019.
Android 11 is the last supported OS version, according to their homepage.
The last update in their SourceForge repository happened on May 3rd, 2022. Stating that support for Android 11 is, for most variants, still in the testing phase. According to their GitHub issues, some support for Android 12 should be there, but I didn't dig deeper into this.

In this GitHub issue, it's stated that they currently suffer from a lack of supporters/maintainers and have problems with their build server infrastructure, etc.

Therefore, I didn't look any deeper into this. If you want: Here is a link about what package contains which features: https://github.com/opengapps/opengapps/wiki/Advanced-Features-and-Options

Google Play store alternatives

Now that we have decided which package we want to use, we probably want to quit using the Google Play Store. After all, the more Google apps we replace, the less we are dependent on their services running on our phone.

Luckily, there are two app store alternatives that solve all our problems together.

F-Droid

F-Droid is the most commonly used alternative app store. It focuses on OpenSource software, rebuilding the .apk packages from the official repositories. Undesired features such as tracking, ads, or proprietary code are listed on the apps' site. However, due to hosting all files themselves and having a focus on privacy and OpenSource they have their own inclusion policy, which apps need to fulfill in order to be added to F-Droid. Hence, many commercial apps simply can't be added as they either directly use Google's Play services or other proprietary software to build their app. Or the company simply doesn't agree to being hosted on F-Droid.

This has the direct result that many popular apps will & can never be available on F-Droid. Which leads us to...

Aurora OSS

Aurora OSS is another Google Play store alternative. One that is even usable with and without Google services or even MicroG. As Aurora is directly accessing the Google Play store you can download all apps, even the ones you paid for - as long as you log in with your Google account.

For the rest. I recommend reading their project description: https://gitlab.com/AuroraOSS/AuroraStore. The "nicer" looking URL is https://auroraoss.com/; however, this is just to forward you to their GitLab project.

There is however a report that a freshly created Google account that solely used Aurora got deleted after just two hours: https://www.reddit.com/r/degoogle/comments/13td3iq/google_account_deleted_after_2_hours_of_aurora/ and https://news.ycombinator.com/item?id=36098970

But then again, this was the only big reporting on that matter. So I can't really tell what will happen to accounts which are also used for YouTube. Or that have paid apps in the Play store connected to their account.

This discussion on Reddit provides a little bit of insight as to why this could happen to an account.

Conclusion

Aurora combined with F-Droid means we have a solution to get any and all apps we need.

And even if you plan on flashing your Android device or not. Both app stores can be used on any phone. Allowing you to test them out prior to making any fundamental changes to your phone.

Side note: Vanishing developers

While doing my research for this article, I spent some time in the XDA developers forum, on GitHub, GitLab instances, and even SourceForge. And I noticed a constantly reoccurring pattern: many of the developers simply stopped being present in the last few years. No new posts in the XDA Developers forum. No activity on GitHub, etc.

Now it's not uncommon for OpenSource projects to lose contributors or even main project developers. After all, people do have a job, a family, a life. And somehow they need to earn money. Nothing surprising about that.

But I additionally noticed that many seem to be male and of Russian nationality. Given the fact that the Russian attack on Ukraine started in February 2022 and many developers went silent in the last 2-3 years, I have a bad feeling that many of them were conscripted into the Russian army.

Let's just hope that I am wrong...