The release of the next version of SecureDrop, 2.0.0, is scheduled for June 22, 2021. We will send out another notification through this blog, Twitter, Mastodon, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 2.0.0?

For all users

• Onion services: Support for v2 services has been fully removed (Issue, Pull request)
• Bugfix: Fixed issue where some user interface messages were displayed in English, even when another language was set (Issue, Pull request)

For journalists and administrators

• Journalist Interface: The “flag-for-reply” workflow is no longer necessary and has been removed (Issue, Pull request)
• UX: Performance improvements when loading logo images and unseen submissions (Pull request 1, Pull request 2)
• Behavior change: securedrop-admin commands will now fail if your workstations are still on the Tails 3.x series. Please make sure to update to the Tails 4.x series at the earliest opportunity. (Pull request)
• Bugfix: Errors in the logic for validating the Tails environment have been corrected (Issue, Pull request 1, Pull request 2)
• Bugfix: The check for submissions on the Application Server has been updated to run only once per day. (Issue, Pull request)

For developers

• API: The source_v2_url field has been removed from the metadata endpoint on the Source Interface (Issue, Pull request)
• Operating system: All Xenial support has been dropped and Xenial-specific code has been removed from the codebase (Issue, Pull request)
• API: The endpoint /sources/<source_uuid>/conversation has been added to delete a conversation without deleting the associated source (Issue, Pull request)
• Bugfix: A translation tooling script has been removed from the securedrop-app-code package (Issue, Pull request)
• Development environment: VirtualBox VM support has been removed (Issue, Pull request)
• Development environment: Upgrade testing on Focal has been improved, and now uses Molecule instead of Vagrant to provision production VMs (Issue 1, Issue 2, Issue 3, Pull Request)
• Dependencies: The following dependencies have been updated:
  • Tor from version 0.4.5.7 to 0.4.5.8 (Issue, Pull request, Upstream)
  • py from 1.9.0 to 1.10.0 (Pull request)
  • ansible from 2.9.7 to 2.9.21 (Pull request)
  • pip from 19.3.1 to 21.1.1 (Pull request)
  • pip-tools from 4.5.1 to 6.1.0 (Pull request)
  • setuptools from 46.0.0 to 56.0.0 (Pull request)
  • setuptools-scm from 5.0.2 to 6.0.1 (Pull request)
  • pillow from 8.1.1 to 8.2.0 (Pull request)
  • babel from 2.5.1 to 2.9.1 (Pull request)
  • cryptography from 3.2.1 to 3.4.7 (Pull request)

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.0.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

Important: Only SecureDrop instances running Ubuntu 20.04 will receive this update. If your SecureDrop has not yet migrated to Ubuntu 20.04, your Source Interface has been disabled for security reasons. If you wish to resume using SecureDrop, please contact us on the Support Portal.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!