The release of the next version of SecureDrop, 1.5.0, is scheduled for July 28, 2020. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 1.5.0?

For all users

• Security: Due to security and anonymity improvements in v3 of the onion services protocol, support for v2 onion services will be removed from SecureDrop in February 2021. Instances that make use of v2 onion services will now see a deprecation warning in the Journalist Interface and in securedrop-admin commands.
  
  We encourage SecureDrop instances using v2 to migrate to v3 at the earliest opportunity. More information on the v2 to v3 onion services migration process can be found here. (Issues: 1, 2, Pull requests: 1, 2)

For journalists

• Usability: Some words with potentially offensive or distracting meanings have been removed from the dictionary that is used to generate source names in the Journalist Interface. (Issue, Pull request)
• Usability: An explanation of the effect of deleting sources has been added to the confirmation dialogue in the Journalist Interface. (Issue, Pull request)

For administrators

• Kernel update: This release will include an update from version 4.14.175 to 4.14.188 of the grsecurity-patched kernel. (Issue, Pull request)
• User management: On the Journalist Interface, the username “deleted” is disallowed, as this keyword is reserved by the software. (Issues: 1, 2, Pull requests: 1, 2)
• OSSEC improvement: Temporary files staged for secure deletion will no longer trigger OSSEC syscheck alerts. (Pull request)
• Dependency update: The following dependency on the SecureDrop servers will be updated:
  • Tor from version 0.4.3.5 to version 0.4.3.6 (Issue, Pull request, Upstream changelog)

For developers

• Journalist API:
  • The get_all_submissions API endpoint will no longer return submissions from sources who have been deleted from the database. (Issue, Pull request)
  • The get_all_replies API endpoint will no longer return replies if the corresponding source has been deleted from the database. (Issue, Pull request)

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 1.5.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

This release will include a kernel update. While we have tested the updated kernel extensively on supported hardware, it is possible that it will cause problems on your servers after the update. At the time of the release, we will provide instructions for troubleshooting kernel issues and temporarily downgrading to a previous version.

This release also includes deprecation warnings for v2 onion services. Support for v2 onion services will be removed from SecureDrop in February 2021. If your instance is using v2 onion services, you will need to migrate to v3 onion services, which offer significant security and anonymity improvements, and publicize your new Source Interface onion URL. Please see our migration documentation or contact us for support.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!