We are pleased to announce that SecureDrop 1.7.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
For all users
- New language: SecureDrop is now available in Simplified Chinese. Administrators can enable it and other supported languages by following our documentation. (Issue, Pull Request)
- Bugfix: You should no longer see a reminder to use Tor Browser when accessing the Source Interface via Tor Browser on a Mac. (Issue, Pull Request)
- UI change: Because it is a shared key, the Source Interface no longer refers to the organization’s Submission Public Key as a “Journalist Key”. (Issue, Pull Request)
- Bugfix: The software now displays more informative error messages in cases when it encounters a low-level problem (e.g., a file is missing on disk). (Issue 1, Issue 2, Pull Request 1, Pull Request 2)
- UI change: Icons in the Journalist Interface now display correctly when the Tor Browser security slider is set to “Safest”, and some icons have been replaced with new, clearer ones. (Issue 1, Issue 2, Pull Request)
- v2 onion services: SecureDrop 1.7.x is the final release series to support installing SecureDrop with v2 onion services enabled. (Support for v2 onion services will be completely removed after April 30, 2021.) If your SecureDrop instance is still using 16-character v2 onion URLs, you should migrate to v3 onion services at the earliest opportunity, and contact us via the Support Portal if you require assistance doing so.
This release will display a more prominent warning in the Journalist Interface if v2 onion services are still enabled. (Issue, Pull Request). Administrators will also receive daily level 12 OSSEC alerts while v2 onion services are enabled. (Issue, Pull Request)
- Getting ready for Ubuntu 20.04: The SecureDrop server operating system, Ubuntu 16.04, will reach end-of-life for security updates on April 30, 2021.
This release of SecureDrop does not yet fully support the Ubuntu 20.04 platform, but it includes a first set of changes towards that goal. We plan to release a version of SecureDrop with support for Ubuntu 20.04 in February, at which point we will provide detailed instructions for migrating your installation. Do not attempt to migrate before then—it will not work. (Tracking issue)
- New feature: You can now configure your organization’s name in the Admin Interface. If configured, the name will be displayed in the Source Interface and the Journalist Interface, and returned by the metadata API for your SecureDrop instance. (Issue, Pull Request, Documentation)
- Bugfix: You should now be less likely to see the error “Timeout (..) waiting for privilege escalation prompt” when running
./securedrop-admin install. (Issue, Pull Request)
- Bugfix: SSH access via v2 onion services will now be disabled as expected when you disable v2 onion services and SSH-over-Tor is enabled. (Issue, Pull Request)
- Bugfix: Resetting a journalist’s password through the Admin Interface repeatedly and in quick succession no longer causes an error. (Issue, Pull Request)
- Dependency updates:
- String improvements: Several strings can now be translated in plural variants to provide more accurate translations. (Issue, Pull Request 1, Pull Request 2)
- Bugfix: The internationalization tool now produces more accurate translator credits. (Issue, Pull Request)
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 1.7.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
If you have not already completed the migration to v3 onion services, we urge you to do so at the earliest opportunity. We also encourage all administrators to prepare for the migration to Ubuntu 20.04 on the Application and Monitor Servers. These migrations must be completed before April 30, 2021 to keep your SecureDrop online. Please see our advisory for details.
This release was made possible thanks to volunteer code and documentation contributions by Alban Diquet, Gonzalo Bulnes Guilpain, Joan Edwards, Julien de la Bruère-T, Michał "czesiek" Czyżewski, Sheon Han, and Vinícius Zavam.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Ahmed Essam
- Catalan: Joan Montané, John Smith
- Chinese (simplified): Chi-Hsun Tsai, ff98sha
- Chinese (traditional): Chi-Hsun Tsai, mengpangwang
- Czech: michaela-bot
- Dutch: Nick Bouwhuis, kwadronaut
- French: AO Localization Lab
- German: Ettore Atalan, kwadronaut
- Greek: Adrian, Dimitris Maroulidis
- Italian: Claudio Arseni
- Icelandic: Sveinn í Felli
- Norwegian Bokmål: Øyvind Bye Skille
- Portuguese (Brasil): communiaa
- Slovak: 1000101, Katarina Kasalova
- Spanish: Anatoli, Gonzalo Bulnes Guilpain, Zuhualime Akoochimoya
- Swedish: Jonas Waga, SwITsys
- Turkish: tekrei, Kaya Zeren, Volkan
- Romanian: robbpa
- Russian: Andrey
Thanks to Erin McConnell and the Localization Lab for supporting this effort.
This release incorporates Freedom of the Press Foundation contributions by Allie Crevier (release manager), John Hensley (localization manager), Kushal Das (deputy localization manager), Mickael E. (deputy release manager), Erik Moeller (communications manager), Kevin O’Gorman, Rowen S., and Conor Schaefer.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via firstname.lastname@example.org (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!