SecureDrop 1.7.0 will be released on January 26, 2021. We will send out another notification through this blog, Twitter, Mastodon, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s coming in SecureDrop 1.7.0?
For all users
- New language: SecureDrop is now available in Simplified Chinese. Administrators can enable it and other supported languages by following our documentation. (Issue, Pull Request)
For sources
- Bugfix: You will no longer see a “Session expired” message if you stay on the Source Interface homepage for more than 2 hours without ever logging in. (Issue, Pull Request)
- Bugfix: You should no longer see a reminder to use Tor Browser when accessing the Source Interface via Tor Browser on a Mac. (Issue, Pull Request)
- UI change: Because it is a shared key, the Source Interface no longer refers to the organization’s Submission Public Key as a “Journalist Key”. (Issue, Pull Request)
For journalists
- Bugfix: The software now displays more informative error messages in certain cases when it encounters a low-level problem (e.g., a file is missing on disk). (Issue 1, Issue 2, Pull Request 1, Pull Request 2)
For administrators
- v2 onion services: SecureDrop 1.7.x is the final release series to support installing SecureDrop with v2 onion services enabled. Support for v2 onion services will be completely removed after April 30, 2021. If your SecureDrop instance is still using 16-character v2 onion URLs, you should migrate to v3 onion services at the earliest opportunity, and contact us via the Support Portal if you require assistance doing so.
This release will display a more prominent warning in the Journalist Interface if v2 onion services are still enabled. (Issue, Pull Request). Administrators will also receive daily level 12 OSSEC alerts while v2 onion services are enabled. (Issue, Pull Request) - Getting ready for Ubuntu 20.04: The SecureDrop server operating system, Ubuntu 16.04, will reach end-of-life for security updates on April 30, 2021.
This release of SecureDrop does not yet fully support the Ubuntu 20.04 platform, but it includes a first set of changes towards that goal. We plan to release a version of SecureDrop with support for Ubuntu 20.04 in February, at which point we will provide detailed instructions for migrating your installation. Do not attempt to migrate before then—it will not work. (Tracking issue) - New feature: You can now configure your organization’s name in the Admin Interface. If configured, the name will be displayed in the Source Interface and the Journalist Interface, and returned by the metadata API for your SecureDrop instance. (Issue, Pull Request)
- Bugfix: You should now be less likely to see the error “Timeout (..) waiting for privilege escalation prompt” when running
./securedrop-admin install.
(Issue, Pull Request) - Bugfix: Resetting a journalist’s password through the Admin Interface repeatedly and in quick succession no longer causes an error. (Issue, Pull Request)
- Dependency updates:
- Tor from version 0.4.4.5 to 0.4.4.6 (Issue, Pull Request, Upstream changelog)
- cryptography to version 3.2.1 (Issue, Pull Request, Upstream changelog)
For translators
- String improvements: Several strings can now be translated in plural variants to provide more accurate translations. (Issue, Pull Request 1, Pull Request 2)
- Bugfix: The internationalization tool now produces more accurate translator credits. (Issue, Pull Request)
What administrators will need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 1.7.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!