SecureDrop 2.6.0 is scheduled to be released on June 22, 2023. We will send out another notification through this blog, Twitter, Mastodon, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 2.6.0?

For sources

• Usability: Tor Browser for Android is now correctly detected as separate from the desktop version of Tor Browser (Pull Request)
• Security: The Cross-Origin-Resource-Policy header is now set to same-origin to provide stronger cross-site protections within the SecureDrop web application (Pull Request)
• Accessibility: <title> tags (displayed on windows or tabs) are now more descriptive to provide a better experience for users using assistive technologies like screen readers (Issue, Pull Request, Pull Request)

For journalists and administrators

• Usability: A new SecureDrop menu in the top bar provides quick access to SecureDrop Journalist and Source Interfaces, as well as the updater, and gives administrators instant access to manage the SecureDrop environment (Issue, Pull Request)

For administrators

• Performance: Accounts for sources that have never submitted documents or sent messages are now routinely removed to improve performance (Pull Request, Pull Request)
• Performance: Outdated kernels are now removed automatically on the Application and Monitor Servers (Issue, Pull Request)
• Security: Journalist passphrases are now being hashed using the argon2id algorithm (Issue, Pull Request)
• Security: The SecureDrop release key expiry date has been updated to 2024-07-08 (Issue, Issue, Pull Request)
• Usability: A bug causing a daily login report to be sent by OSSEC, even when a login event had not occurred, has been fixed (Issue, Issue, Pull Request)

For developers

• Usability: The development environment is now compatible with Apple Silicon (Pull Request, Pull Request, Pull Request)
• Usability: SQLite is now the only officially supported database backend (Issue, Pull Request)
• Usability: A configuration file that can be used for building a SecureDrop Workstation development environment is automatically generated when using make dev-tor (Pull Request)
• Dependency updates:
  • mypy from 0.761 to 1.0.0 (Pull Request, Pull Request)
  • pytest to 7.2.0 and pytest-xdist to 3.0.2 (Pull Request)
  • pillow from 9.0.1 to 9.3.0 (Pull Request)
  • shellcheck to 0.9.0, using shellcheck-py (Issue, Pull Request)
  • sh has been removed as a dependency (Issue, Pull Request, Pull Request)

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.6.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file nonsensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!