We’re pleased to announce that SecureDrop 2.0.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

Important: All Tails Workstations should run the SecureDrop graphical updater before June 29, 2021, to ensure that they retrieve the new SecureDrop Release Signing Key before the old key expires. An additional step will also be required to update Tails OS. See our upgrade guide for further information.

What’s new in SecureDrop 2.0.0?

For all users

• Onion services: Support for v2 services has been fully removed (Issue, Pull request)
• Bugfix: Fixed issue where some user interface messages were displayed in English, even when another language was set (Issue, Pull request)

For journalists and administrators

• Journalist Interface: The “flag-for-reply” workflow is no longer necessary and has been removed (Issue, Pull request)
• UX: Performance improvements when loading logo images and unseen submissions (Pull request 1, Pull request 2)
• Behavior change: securedrop-admin commands will now fail if your workstations are still on the Tails 3.x series. Please make sure to update to the Tails 4.x series at the earliest opportunity. (Pull request)
• Bugfix: Errors in the logic for validating the Tails environment have been corrected (Issue, Pull request 1, Pull request 2)
• Bugfix: The check for submissions on the Application Server has been updated to run only once per day. (Issue, Pull request)
• Bugfix: The securedrop-admin updater now includes the UID for our new signing key, which will be used to sign future SecureDrop releases (Issue, Pull request)
• Dependencies: The following dependencies have been updated:
  • Tor from version 0.4.5.7 to 0.4.5.8 (Issue, Pull request, Upstream)

For developers

• API: The source_v2_url field has been removed from the metadata endpoint on the Source Interface (Issue, Pull request)
• Operating system: All Xenial support has been dropped and Xenial-specific code has been removed from the codebase (Issue, Pull request)
• API: The endpoint /sources/<source_uuid>/conversation has been added to delete a conversation without deleting the associated source (Issue, Pull request)
• Bugfix: A translation tooling script has been removed from the securedrop-app-code package (Issue, Pull request)
• Development environment: VirtualBox VM support has been removed (Issue, Pull request)
• Development environment: Upgrade testing on Focal has been improved, and now uses Molecule instead of Vagrant to provision production VMs (Issue 1, Issue 2, Issue 3, Pull Request)
• Dependencies: The following dependencies have been updated:
  • py from 1.9.0 to 1.10.0 (Pull request)
  • ansible from 2.9.7 to 2.9.21 (Pull request)
  • pip from 19.3.1 to 21.1.1 (Pull request)
  • pip-tools from 4.5.1 to 6.1.0 (Pull request)
  • setuptools from 46.0.0 to 56.0.0 (Pull request)
  • setuptools-scm from 5.0.2 to 6.0.1 (Pull request)
  • pillow from 8.1.1 to 8.2.0 (Pull request)
  • babel from 2.5.1 to 2.9.1 (Pull request)
  • cryptography from 3.2.1 to 3.4.7 (Pull request)

What administrators will need to do

Please run the SecureDrop graphical updater on all Tails Workstations (Admin and Journalist Workstations) before June 29, 2021, to ensure a smooth transition to the new SecureDrop Release Signing Key. Tails Workstations running TailsOS 4.18 or earlier will also require an additional step to ensure that they can receive operating system upgrades. Further details can be found in our upgrade guide.

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.0.0 automatically within 24 hours of the release.

Only SecureDrop instances running Ubuntu 20.04 will receive this update. If your SecureDrop has not yet migrated to Ubuntu 20.04, your Source Interface has been disabled for security reasons. If you wish to resume using SecureDrop, please contact us on the Support Portal.

Acknowledgments

This release was made possible thanks to volunteer code and documentation contributions by Damiano Venturin, DrGFreeMan, Gonzalo Bulnes Guilpain and Prateek Jain.

The translations for all supported languages were updated thanks to the work of many volunteers:

• Arabic: Ahmed Essam, Layla Taha, mohamad karkoura
• Catalan: Benet (BennyBeat) R. i Camps, Joan Montané
• Czech: Honza Cibulka, michaela-bot
• German: Ettore Atalan, kwadronaut
• Greek: Dimitris Maroulidis
• Spanish: Gonzalo Bulnes Guilpain, Zuhualime Akoochimoya
• French: AO Localization Lab, Gonzalo Bulnes Guilpain
• Hindi: Chandan Kumar (raukadah), Kushal Das
• Icelandic: Oktavia, Sveinn í Felli
• Italian: Claudio Arseni
• Norwegian: kwadronaut, Øyvind Bye Skille
• Dutch: kwadronaut
• Portuguese (Brasil): sobeitnow0
• Romanian: robbpa
• Russian: Andrey
• Slovak: 1000101
• Swedish: Jonas Waga
• Turkish: Volkanzh_Hans
• Chinese (Simplified): ff98sha
• Chinese (Traditional): Chi-Hsun Tsai

Thanks to Erin McConnell and the Localization Lab for supporting this effort.

This release incorporates Freedom of the Press Foundation contributions by: Allie Crevier, Kushal Das (deputy release manager), Mickael E., John Hensley (localization manager), Erik Moeller, Kevin O’Gorman (release manager), Rowen S. (communications manager), and Conor Schaefer. It incorporates contributions by Cory Myers, whose work is supported by Internews.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!