We’re pleased to announce that SecureDrop 2.11.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found in the changelog on GitHub.

SecureDrop 2.11.0 will automatically run checks to ensure all servers are ready for migration to Ubuntu 24.04 (Noble). If issues are found, a banner will be displayed in the Journalist Interface to both admins and journalists. Administrators are encouraged to review the guide explaining how to resolve any errors, and perform any necessary steps before Jan. 31, 2025.

More information about the actual Ubuntu 24.04 (Noble) migration will be communicated in early 2025.

What’s new in SecureDrop 2.11.0?

For administrators

Ubuntu 24.04 (Noble) upgrade preparation

• Support building packages on noble (Issue, Pull Request, Pull Request, Pull Request)
• Add a noble migration check script (Issue, Pull Request, Pull Request)
• Use "sdssh" group instead of internal-only "ssh" group for access control (Pull Request, Pull Request)
• Add timed job to clean out old OSSEC diff and state files (Issue, Pull Request)
• Remove ufw from new and existing installs (Issue, Pull Request)
• Update apache config templates to be distro-agnostic (Pull Request)
• Install backup script on app server via Debian package (Issue, Pull Request)
• Ensure sources.list is absent on noble (Pull Request)
• Overwrite sources.list.d/ubuntu.sources on noble (Pull Request)
• Use Type=exec instead of Type=oneshot for systemd units (Issue, Pull Request)
• Make Ansible variables distro-agnostic (Pull Request)
• Apply grsec_lock once only (Issue, Pull Request)
• Stop setting vm.heap_stack_gap and net.ipv4 sysctl flags via Ansible (Issue, Pull Request)

Operations

• Regenerate Redis password on restoring from server backup (Issue)
• Replace reboot-flag cron job with a systemd timer (Pull Request)
• Remove haveged package, if installed (Issue, Pull Request, Pull Request)
• Don't install apt-transport-https transitional package (Pull Request)
• Remove unused Ansible restrict_direct_access_{app,mon} roles (Pull Request)
• Remove unused Ansible sysctl_flags_ipv6 variables (Pull Request)
• Prompt "sdadmin" for the default SSH username (Pull Request)

For journalists and administrators

• Add a banner in the Journalist Interface, in preparation for the noble migration (Pull Request)

For developers

• Use sqlalchemy.LargeBinary instead of deprecated Binary (Issue, Pull Request)
• Support noble dev environment (Issue, Pull Request)
• Publish versions of packages with debug symbols (Pull Request, Pull Request)
• Preserve screenshots from translation test CI job (Issue, Pull Request)
• Remove tests checking that no apparmor profiles are complaining (Pull Request)
• Remove test_securedrop_application_apt_dependencies test (Pull Request)
• Inspect grsec_lock as root in testinfra (Pull Request)
• Make backport.py more flexible for complex pull requests (Pull Request)
• Install xz-utils in diffoscope CI job (Pull Request)
• Run admin CI tests on bookworm (Pull Request)
• Use a single pass in ansible to install local packages (Issue, Pull Request)
• Speed up update-python3-dependencies using uv (Pull Request)
• Remove unused devops/scripts/aws-jenkins-venv.sh (Pull Request)
• Ignore safety alerts:
  • Ignore CVE-2024-8775 in ansible-core (Pull Request)
  • Ignore Safety 73711 in cryptography (Pull Request)
  • Ignore Safety 73889, 73969 in werkzeug (Pull Request)
• Update dependencies:
  • Update geckodriver from 0.33.0 to 0.35.0 (Issue, Pull Request)
  • Upgrade tbselenium from 0.8.1 to 0.9.0 (Pull Request, Pull Request)
  • Upgrade paramiko from 2.7.2 to 2.10.6 (Issue, Pull Request, Pull Request)
  • Upgrade cargo-vet from 0.9.0 to 0.10.0 (Pull Request)
  • Upgrade Rust toolchain from 1.78.0 to 1.81.0 (Issue, Pull Request)
  • Upgrade sequoia-openpgp from 1.21.1 to 1.21.2 (Pull Request)
  • Upgrade ruff, remove black, add ruff formatting fixes (Issue, Pull Request, Pull Request)
• Import escape from markupsafe, not flask (Issue, Pull Request)
• Remove unused load_iptables script (Pull Request)
• Remove unused SSHd config from cloud-init (Pull Request)

What administrators need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.11.0 automatically within 24 hours.

Please follow our upgrade guide, and get in touch with us if you require assistance.

Acknowledgments

Thanks to Localization Lab for continued support with our translations. Translations were updated thanks to the work of many volunteers:

• victor dargallo
• Igor K.
• Milo Ivir
• AO Localization Lab
• Curtis Baltimore
• Dimitris Maroulidis
• Oktavia
• Sveinn í Felli
• Claudio Arseni
• Øyvind Bye Skille
• Adam Rak
• ion ciubara
• Jonas Waga

As of this release, Croatian is now a fully supported language for SecureDrop. We are currently lacking active translators for Hindi and Romanian, which are slated to be removed as supported languages in the SecureDrop 2.12.0 release. If you speak one of these languages or know someone who does, please see our instructions on contributing translations.

This release incorporates Freedom of the Press Foundation (FPF) contributions by Nathan Dyer, communications manager; Kunal Mehta, deputy release manager; Erik Moeller; Cory Francis Myers; Kevin O’Gorman, release manager; Francisco Rocha; and Rowen S.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd;

We also encourage you to file nonsensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!