Today we are announcing the release of SecureDrop 0.3.6. If you are a SecureDrop administrator, please check your instance to ensure that you are running the latest version; if not, follow the instructions below to upgrade your system.
You can easily determine your SecureDrop version by visiting either of the web interfaces and looking for the "Powered by SecureDrop x.y.z" string at the bottom of the page. If your site reports 0.3.6, you do not need to take any further action for this release.
Important: Upgrading to SecureDrop 0.3.6 requires manual intervention on the part of the SecureDrop administrator. Please follow the instructions below to upgrade your system.
Important Changes in 0.3.6
0.3.6 is an emergency release in response to the accidental expiration of the SecureDrop code signing key (fingerprint: B89A 29DB 2128 160B 8E4B 1B4C BADD E0C7 FC9F 6818). You mustupgrade to 0.3.6 in order to receive future automatic updates to the SecureDrop packages.
Note that the other packages on your system (those supplied by Ubuntu and Tor) will continue to automatically upgrade and are unaffected by the expiration of the SecureDrop code signing key.
How do I upgrade?
There are detailed instructions in the SecureDrop documentation: Upgrade from 0.3.5 to 0.3.6.
Background on this release
If you examine the signed release tag for 0.3.6 in the SecureDrop git repository, you will notice that we created this release a long time ago (October 28, 2015, to be specific). When we initially released it, we were in the mindset of working one-on-one with each organization that operates a SecureDrop, so instead of publishing a blog post, we reached out to each administrator individually and provided them with documentation and support to help them upgrade their system.
In order to track the progress of SecureDrop administrators manually upgrading their systems, we decided to wait to publish the 0.3.6 deb packages on our package server until now. There are no changes to the Debian packages between 0.3.5 and 0.3.6, besides bumping the version number on the web interfaces. Now that we have released the 0.3.6 packages, we are using the corresponding version number change as a signal of properly updated SecureDrop instances. If you were confused by why your system appeared to still be running 0.3.5 even after you had upgraded to 0.3.6, this release will fix that discrepancy.
While individually contacting each SecureDrop administrator and guiding them through the manual upgrade was effective, it was also time-consuming for us. More importantly, it did not help any SecureDrop administators who operate SecureDrop independently, without the involvement (or even knowledge!) of the Freedom of the Press Foundation. We have long considered widespread adoption of SecureDrop an important goal, and recently have been prioritizing work that encourages adoption, such as dramatically simplifying the installation process through automation, or rewriting our documentation to make it more helpful and user-friendly - so failing to provide a resource for independent administrators to keep appraised of new releases is a serious shortcoming.
To improve this situation, we will be publishing detailed notices about SecureDrop releases on this blog from now on. Stay tuned to this space (or subscribe to our RSS/Atom feed) for future SecureDrop updates and development news!