Interest Article

Advisory: Why you must manually upgrade your SecureDrop servers before April 30

March 7, 2019

SecureDrop installations set up before version 0.12.0 (released on February 26, 2019) that have not been upgraded yet are using Ubuntu 14.04 LTS (Trusty) as the server operating system. On April 30 2019, Trusty will reach End of Life, and will no longer receive security updates. If you have not done so yet, you must manually upgrade your servers to Xenial before April 30.

In most cases, this upgrade does not require a full reinstall of your servers, and the upgrade can be performed remotely via the Admin Workstation.

After April 30:

  • We will not provide support or issue software updates for SecureDrop instances running on Trusty.
  • The Source Interface on SecureDrop instances running Trusty will display a maintenance notice, and will not permit submitting messages or documents.
  • SecureDrop instances running on Trusty will be removed from the SecureDrop Directory.
  • We cannot guarantee that any component of SecureDrop will continue to function.

We urge you to schedule a maintenance window to perform the upgrade to Xenial prior to the April 30 deadline. Please see our detailed instructions for upgrading to Xenial.

What is the Ubuntu LTS cycle?

Long-Term Support releases of Ubuntu receive security updates for five years from the release date. Ubuntu 14.04 was released in April 2014 (the Ubuntu version number always reflects release year and month). Its end-of-life date is therefore April 30, 2019; five years later.

New LTS releases are issued every 2 years. As of SecureDrop 0.12.0, SecureDrop supports Ubuntu 16.04 (released in April 2016) as the new base operating system. It will reach end-of-life on April 30, 2021.

Why does this upgrade have to be performed manually?

An operating system upgrade from one LTS to the next is a major operation that impacts all software components. During an in-place upgrade, you will need to respond to interactive prompts which may vary slightly depending on the exact system configuration. If you perform a new installation from a backup, you require physical access to the hardware you intend to use.

For all of these reasons, scheduled manual maintenance is unavoidable. We understand the time constraints under which many SecureDrop administrators operate, and we’re happy to provide guidance and assistance. If you are already on our support portal, please don’t hesitate to open an issue there; if you are not, please request access by emailing us at (GPG encrypted).

How complex is this upgrade? How can we get assistance?

Upgrading to Ubuntu 16.04 is a one-time operation which, in our experience, typically takes approximately half a work day; we recommend blocking away two full work days as a contingency in case of issues specific to your configuration. If your organization does not currently have a support agreement with Freedom of the Press Foundation, but you are interested in performing this upgrade with our assistance, please reach out to us via the support portal or (GPG encrypted). Given the April 30 deadline, please contact us as soon as possible.

Update (April 2, 2019): Clarified that the source interface will be disabled on SecureDrop instances running Ubuntu 14.04 after April 30.

Return to News