PSA for Australian bitcoiners with SMSFs. The ATO published crypto audit guidance in October that says holding statements alone aren't sufficient evidence. Auditors must obtain "additional objective, supportable evidence." For exchange-held bitcoin, there's a path. For self-custody, there's nothing prescribed. If your auditor can't verify your holdings, they must qualify your audit and report you for a Reg 8.02B breach. That's not optional. ASIC took action against 28 SMSF auditors in H2 2025. The ATO is doing office visits. Reg 8.02B breaches are up to 12% of all SMSF breaches and rising. And from July, accountants become AUSTRAC reporting entities. The government isn't coming for your keys. They're coming for your paperwork. And if the paperwork problem isn't solved, the next step is forcing SMSF holdings onto exchanges or approved custodians. Don't give them the excuse. I wrote up the full picture with primary sources:

David Pinkerton

If You Hold Bitcoin in Your SMSF and Self-Custody It, Read This

This is the third post in a series about SMSF Bitcoin audit evidence. The first post covered what auditors need to verify. The second post compared...

Introducing Key Ceremony — a free, open-source tool for documenting your Bitcoin multisig wallet setup. Record who holds each key, where devices and backups are stored, and how to recover. It generates a ceremony record as a PDF, entirely in your browser. All data is encrypted client-side using WebAuthn PRF. The server never sees your data in the clear. No PRF-capable passkey? There's a printable blank template too — no account needed. https://ceremony.dpinkerton.com Full write-up on the design decisions and zero-trust architecture: https://dpinkerton.com/posts/key-ceremony-evolution/

I haven't read anyone comment on whether MJ Rathbun's PR actually had merit. Did it? Talking about the one that scottshambaugh rejected because it originated from a bot.

GitHub

[PERF] Replace np.column_stack with np.vstack().T by crabby-rathbun · Pull Request #31132 · matplotlib/matplotlib

This PR addresses issue #31130 by replacing specific safe occurrences of np.column_stack with np.vstack().T for better performance. IMPORTANT: This...

I'm astonished by how good Claude is at troubleshooting things. Here's a small example from this morning:

David Pinkerton

How Claude Code Fixed My Lightning Channel in Minutes (Not by Knowing Everything, but by Figuring It Out)

I run a Bitcoin Lightning node called WinThistle. A few days ago I noticed my channel to mineracks had gone inactive. I knew something was wrong bu...

I find it entertaining to watch how it gathers info then sets about fixing the problem. In this case, it was an intermittent connectivity issue with a lightning channel. I'd initially connected to ln.mineracks.com over clearnet, as it was operating as a hybrid node. Later, it switched to Tor only, which broke things. I prefer clearnet, but I still wanted to maintain the connection, so now my node is configured to use Tor when needed to reach peers while advertising only its clearnet address.

I had Claude transcribe sheet music from PDF to markup, then suggest ukulele chords and strumming patterns for accompaniment. It sounded pretty good! Just a bit of fun. More on the blog:

David Pinkerton

Arranging Ukulele Accompaniment for Irish Tunes in LilyPond

I’ve been learning tin whistle online through Conor Lamb’s Tin Whistle Workshops. Conor is a member of Realta and last week he led the class th...

If you'd like a few ideas on where your path in bitcoin may lie, spend 2 minutes with Henro. After 10 questions, you will be presented with curated, inspiring resources in various formats.

Henro — Find your path in freedom tech

A contemplative survey to help you find your role in freedom tech.

I offended an open source maintainer with an @-mention on my PR. I got a stern response but his points were valid. I got thinking on how AI tools are creating a new "Eternal September" for open source with more contributions, but more noise for volunteer maintainers who are already stretched thin. What if AI could help their side too? Triage, first-pass review, quality gates, etc to protect volunteer time instead of just consuming it. A few already discussing this and putting it into practice. My reflections:

David Pinkerton

The Eternal September of Open Source

I recently submitted a small PR to SeedSigner — the multisig message signing fix I wrote about in my previous post. After opening it, I tagged tw...

SeedSigner doesn't support message signing for multisig keys — it throws "Not implemented" for any m/48' derivation path. I raised this as an issue two years ago, no fix came, so I patched it myself. The change is small (21 lines) and the actual signing function already worked — it was just the path parser blocking multisig paths unnecessarily. I use message signing for key ownership and control verification in multisig SMSF custody setups via Gatekeeper (https://gatekeeper.dpinkerton.com). Coldcard handles this fine, but SeedSigner users were stuck. Blog post:

David Pinkerton

Patching SeedSigner to Support Multisig Message Signing

I run CertainKey, a service that provides ownership and control verification reports for self-managed super funds (SMSFs) holding bitcoin. Part of ...

PR:

GitHub

Support BIP48 multisig derivation paths for message signing by AusDavo · Pull Request #874 · SeedSigner/seedsigner

Summary Removes the raise Exception("Not implemented") block for m/48' paths in parse_derivation_path() Adds BIP48 path parsing: rea...

Patched image (Pi Zero):

GitHub

Release v0.8.6 + BIP48 Multisig Message Signing · AusDavo/seedsigner

What is this? This is SeedSigner v0.8.6 with a single patch to enable message signing for BIP48 multisig derivation paths (e.g. m/48'/0'/0'/2'/0/0)...

#seedsigner #bitcoin #multisig #opensource

Wrote up how my homelab proxying strategy evolved over four phases — from port forwarding with DDNS to a VPS running nothing but HAProxy for L4 passthrough. The key insight: keep the VPS dumb. SNI inspection, encrypted passthrough, nothing else. TLS termination belongs on hardware you control. Comparison table of L7-on-VPS vs L4-passthrough vs direct port forwarding, plus thoughts on Traefik for automatic Docker service discovery.

David Pinkerton

How I Evolved My Homelab Reverse Proxy Strategy (And Why L4 Passthrough Won)

Over the past few years, my approach to exposing homelab services to the internet has gone through four distinct phases. Each one solved a real pro...

#selfhosting #homelab #haproxy #caddy #traefik #reverseproxy

Most bot/notification setups use Telegram or Signal. Both require trusting someone else with your metadata. I set up SimpleX CLI in Docker with my own relay. E2E encrypted, no phone numbers, no accounts, infrastructure I control. Wrote up the setup including the gotchas (expect scripts for headless user creation, socat to work around localhost binding). Blog:

David Pinkerton

Self-Hosted SimpleX CLI in Docker: Private Notifications Without Big Tech

Most bot and notification setups rely on Telegram or Signal. Both are fine, but they require trusting third-party infrastructure with your metadata...

Repo:

GitHub

GitHub - AusDavo/simplex-cli-docker: SimpleX CLI running in Docker with WebSocket API

SimpleX CLI running in Docker with WebSocket API. Contribute to AusDavo/simplex-cli-docker development by creating an account on GitHub.

Spent an afternoon debugging why Caddy's forward_auth wasn't passing group headers from oauth2-proxy when calling it over HTTPS across networks. The fix was one line: header_up Host oauth2-proxy.example.com Without it, Caddy sends the original request's Host header, oauth2-proxy's cookie validation gets confused, and X-Auth-Request-Groups silently disappears. Wrote it up:

David Pinkerton

Caddy forward_auth to an External oauth2-proxy: The Host Header Gotcha

I run multiple Caddy instances across separate networks, all using a shared oauth2-proxy for authentication. The setup worked fine when Caddy and o...

Wanted to spin up a new VPS tonight. Prompted for password + SMS 2FA. Phone was already off. Didn't bother. Started thinking about how much simpler passkeys are and how infrastructure providers should've adopted them years ago. So I built a demo and pitched the VPS provider on adding them. WebAuthn is cleaner than passwords done properly. No secrets cross the network. Your DB only stores public keys. The main barrier is just inertia, I think. Wrote up the implementation details:

David Pinkerton

I Built a Demo to Pitch My VPS Provider on Passkeys

I wanted to spin up a VPS this evening. My provider, Binary Lane, has a password-based login with SMS 2FA. My phone was already off and across the ...

If I follow you, you now have a home relay. I rebuilt my Nostr relay as a "web of trust" model - it accepts posts from me and everyone I follow. Your content, replies to you, all stored. Add it as a backup: wss://nostr.dpinkerton.com Full writeup on what I did and why:

David Pinkerton

Building a Web of Trust Nostr Relay

How I turned a misconfigured relay into a curated community resource using a simple web of trust model. The Problem with Open Relays I’ve been ru...

#nostr #relay

Trying negative inbound fees for passive rebalancing Depleted channels: -1 sat, -300ppm inbound discount, 500ppm outbound Heavy channels: 0.25 sat, 25ppm outbound The idea: create arbitrage so routers move liquidity where I need it. Every route through me is a rebalance. Seems better than manual rebalancing since you're earning fees instead of paying them, and it only happens when there's actual demand. Using charge-lnd to auto-adjust as balances shift. LND 0.18+ required. We'll see how it goes. #lightning #bitcoin #lnd