We are pleased to announce the release of SecureDrop 0.14.0. Changes that sources, journalists, and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 0.14.0?
For sources
- Bugfix: If a source’s session expires on the codename generation page, the Source Interface no longer displays a “Server Error” message. (Issue, Pull Request)
- UI change: The design of the upload button has been changed from the “cloud” icon to a more neutral design, to avoid any suggestion that files are uploaded to a cloud service. (Issue, Pull Request)
- UI change: The instructions for changing the Tor Browser safety settings now account for recent changes to the Tor Browser user interface. (Issue, Pull Request)
- Code removal: The source interface no longer includes stylesheets used by the FontAwesome icon font. These stylesheets were not in active use and therefore unnecessary. (Issue, Pull Request)
For administrators
- Kernel update: SecureDrop kernels on the servers have been updated from version 4.4.177 to version 4.4.182. This release also installs upstream Intel microcode packages, to provide further mitigations against speculative execution attacks if your servers are using Intel processors. (Issue 1, Issue 2, Pull Request)
- Default keyserver update: Due to recent attacks on keyserver infrastructure, we are now distributing the SecureDrop Release Key and the SecureDrop Communications Key via keys.openpgp.org, a new service operated by Enigmail, OpenKeychain, and Sequoia PGP. All code and documentation have been updated to this effect. (Issue, Pull Request 1, Pull Request 2)
- SecureDrop Release Key update: As part of the keyserver change, we have updated the expiration date of the SecureDrop Release Key to June 30, 2020 and added the email address
securedrop-release-key@freedom.press
for lookup purposes. The fingerprint of the key has not changed. (Pull Request) - New language: SecureDrop is now available in Catalan. You can enable it or any other supported languages by following our documentation.
- Support for full names: You can now configure a first and last name for each user with a Journalist Interface account. These names will only be visible to other Journalist Interface users. (Issue, Pull Request)
For developers
Metadata endpoint update: The publicly accessible SecureDrop metadata endpoint at yoursourceinterfaceaddress.onion/metadata now includes the list of languages enabled for your Source Interface. (Issue, Pull Request)
Journalist Interface API:
- New feature: Endpoints associated with replies and users now also return the user’s first and last name, if set (see above).
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 0.14.0 automatically within 24 hours of the release.
As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop; please see our instructions.
Important: Due to recent attacks on GPG keyserver infrastructure, we recommend updating the SecureDrop code on your workstations manually instead of using the provided graphical updater. See the instructions for details.
Acknowledgments
This release was made possible thanks to volunteer code and documentation contributions by Drew Massey, pierwill, Saptak Sengupta, Saurabh Sharma, and Shivam Singhal.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Ahmad Gharbeia, Thalia Rahme
- Catalan: Benet (BennyBeat) R. i Camps, Joan Montané
- Chinese: Chi-Hsun Tsai
- Dutch: Pander, Thom, Yarno Ritzen, kwadronaut
- French: AO
- German: Curtis Baltimore, Robin Schubert
- Greek: Adrian, Dimitris Maroulidis, Panagiotis Tabakis
- Hindi: AbhayKaushik
- Icelandic: Oktavia, Sveinn í Felli
- Italian: Beatrice Martini, Claudio Arseni
- Norwegian: Allan Nordhøy, Øyvind Bye Skille
- Portuguese (Brazil): Caio Volpato, communiaa
- Romanian: Andrada Fiscutean
- Russian: Andrey, Maria Ovsyannikova
- Spanish: Daniel Arauz, Zuhualime Akoochimoya
- Swedish: Jonas Franzén
- Turkish: Kaya Zeren, Orhan, Volkan
Thanks to the Localization Lab for supporting this effort, and to Allan Nordhøy for cross-language cleanup. John Hensley was the Localization Manager for this release, and Kushal Das was the Deputy Localization Manager.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!