The release of the next version of SecureDrop, 0.14.0, is scheduled for July 9, 2019. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s coming in SecureDrop 0.14.0?
For sources
- Bugfix: If a source’s session expires on the codename generation page, the Source Interface will no longer display a “Server Error” message. (Issue, Pull Request)
- UI change: The design of the upload button will be changed from the “cloud” icon to a more neutral design, to avoid any suggestion that files are uploaded to a cloud service. (Issue, Pull Request)
- UI change: The instructions for changing the Tor Browser safety settings will be updated to account for recent changes to the Tor Browser user interface. (Issue, Pull Request)
- Code removal: The source interface will no longer include stylesheets used by the FontAwesome icon font. These stylesheets were not in active use and therefore unnecessary. (Issue, Pull Request)
For administrators
- Kernel update: SecureDrop kernels on the servers will be updated from version 4.4.177 to version 4.4.182. This release will also install upstream Intel microcode packages, to provide further mitigations against speculative execution attacks if your servers are using Intel processors. (Issue 1, Issue 2, Pull Request)
- Support for full names: You will now be able to configure a first and last name for each user with a Journalist Interface account. These names will only be visible to other Journalist Interface users. (Issue, Pull Request)
For developers
- Metadata endpoint update: The publicly accessible SecureDrop metadata endpoint at yoursourceinterfaceaddress.onion/metadata will now include the list of languages enabled for your Source Interface. (Issue, Pull Request)
- Journalist Interface API:
- New feature: Endpoints associated with replies and users will now also return the user’s first and last name, if set (see above).
What administrators will need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 0.14.0 automatically. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!