We are pleased to announce that SecureDrop 1.6.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

Security reminder: If your SecureDrop instance is still using 16-character v2 onion urls, you should migrate to v3 onion services at the earliest opportunity, and contact us via the Support Portal if you require assistance doing so. Due to security and anonymity improvements in v3 of the onion services protocol, support for v2 onion services will be removed from SecureDrop in February 2021.

What’s new in SecureDrop 1.6.0?

For all users

• Usability: Application and dependency names have been accurately capitalized to improve readability (Pull Request 1, Pull Request 2)
• Bugfix: An issue preventing sources from submitting documents or messages when reply files were unavailable has been fixed. (Issue, Pull Request)

For administrators

• Bugfix: Improved error-handling has been implemented in the Journalist interface in cases where files have been manually deleted (Issue 1, Issue 2, Pull Request)
• Dependency updates: The following dependencies on the SecureDrop servers have also been updated:
  • Tor from version 0.4.3.6 to 0.4.4.5 (Issue, Pull Request, Upstream changelog)
  • cffi from 1.11.5 to 1.14.2 and argon_cffi from 18.1.0 to 20.1.0 (Issue, Pull Request)

For developers

• Journalist API:
  • A /users endpoint has now been added to enumerate all Journalist Interface accounts. (Issue, Pull Request)
  • Support for “seen/unseen” messages, files, and replies has been added to SecureDrop in order to support functionality in SecureDrop Workstation. A submission is considered “seen” if it has been downloaded by any journalist. (Issue, Pull Request).
• Dependency updates: The following development dependencies have been updated:
  • urllib from 1.25.8 to 1.25.10 (Pull Request)
  • pip from 19.1 to 19.3.1 and pip-tools from 4.0.0 to 4.5.1 (Pull Request)

For translators

• Usability: Support for screenshots in Weblate has been added to provide visual context to translators. (Issue, Pull Request)

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 1.6.0 automatically within 24 hours.

As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.

As well, instances still using a 16-character v2 onion URL will need to plan a migration to v3 onion services, which offer significant security and anonymity improvements. Support for v2 onion services will be removed from SecureDrop in February 2021, and we encourage you to migrate well in advance of this deadline. The migration process can be completed in about an hour, after which you will have a new Source Interface onion URL that you will need to publicize on your landing page. Please see our migration documentation or contact us for support.

Acknowledgments

This release was made possible thanks to volunteer code and documentation contributions by Alban Diquet, Gonzalo Bulnes Guilpain, Joan Edwards, and Prateek Jain.

The translations for all supported languages were updated thanks to the work of many volunteers:

• Arabic: Thalia Rahme
• Catalan: Benet (BennyBeat) R. i Camps, Joan Montané
• Chinese (simplified): ff98sha
• Chinese (traditional): Chi-Hsun Tsai
• Croatian: Igor K
• Czech: Honza Cibulka, michaela-bot
• Dutch: Thom
• French: AO Localization Lab
• German: Ettore Atalan, Robin Schubert
• Greek: Adrian, Dimitris Maroulidis
• Hindi: Drashti
• Italian: Claudio Arseni
• Icelandic: Oktavia, Sveinn í Felli
• Norwegian Bokmål: Øyvind Bye Skille
• Portuguese (Brasil): communiaa, sobeitnow0, yyyyyyyan
• Spanish: Fernando Ramos Orihuela, Gonzalo Bulnes Guilpain, Zuhualime Akoochimoya, Pablo Di Noto
• Swedish: Jonas Waga
• Turkish: tekrei
• Russian: Adham Kurbanov, Andrey
• Romanian: Jobava, robbpa

Thanks to Erin McConnell and the Localization Lab for supporting this effort.

This release incorporates Freedom of the Press Foundation contributions by Allie Crevier, Kushal Das (localization manager), Mickael E. (release manager), John Hensley, Erik Moeller, Kevin O’Gorman (deputy release manager), Rowen S. (communications manager), and Conor Schaefer (deputy localization manager).

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!