We’re pleased to announce that SecureDrop 2.6.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s new in SecureDrop 2.6.0?

For sources

• Usability: Tor Browser for Android is now correctly detected as separate from the desktop version of Tor Browser (Pull Request)
• Security: The Cross-Origin-Resource-Policy header is now set to same-origin to provide stronger cross-site protections within the SecureDrop web application (Pull Request)
• Accessibility: <title> tags (displayed on windows or tabs) are now more descriptive to provide a better experience for users using assistive technologies like screen readers (Issue, Pull Request, Pull Request)

For journalists

• Usability: A new SecureDrop menu in the top bar provides quick access to SecureDrop Journalist and Source Interfaces, as well as the updater, and gives administrators instant access to manage the SecureDrop environment (Issue, Pull Request)

For administrators

• Performance: Accounts for sources that have never submitted documents or sent messages are now routinely removed to improve performance (Pull Request, Pull Request)
• Performance: Outdated kernels are now removed automatically on the Application and Monitor Servers (Issue, Pull Request)
• Security: Journalist passphrases are now being hashed using the argon2id algorithm (Issue, Pull Request)
• Security: The SecureDrop release key expiry date has been updated to 2024-07-08 (Issue, Issue, Pull Request)
• Usability: A bug causing a daily login report to be sent by OSSEC, even when a login event had not occurred, has been fixed (Issue, Issue, Pull Request)

For developers

• Usability: The development environment is now compatible with Apple Silicon (Pull Request, Pull Request, Pull Request)
• Usability: SQLite is now the only officially supported database backend (Issue, Pull Request)
• Usability: A configuration file that can be used for building a SecureDrop Workstation development environment is automatically generated when using make dev-tor (Pull Request)
• Dependency updates:
  • mypy from 0.761 to 1.0.0 (Pull Request, Pull Request)
  • pytest to 7.2.0 and pytest-xdist to 3.0.2 (Pull Request)
  • pillow from 9.0.1 to 9.3.0 (Pull Request)
  • shellcheck to 0.9.0, using shellcheck-py (Issue, Pull Request)
  • sh has been removed as a dependency (Issue, Pull Request, Pull Request)

What administrators need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.6.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop.

This is especially important with the recent Tails 5.14 update, which includes important updates to disk encryption and passphrase hashing algorithms, as described in our Security Advisory. We also recommend that you update all other encrypted drives to LUKS2, and ensure you have strong passphrases. Please see our upgrade guide for instructions.

Acknowledgments

This release was made possible thanks to volunteer code contributions from Alban Diquet, Don Heshanthaka, Giovanni Pellerano, Ilyès Semlali, Josh Soref, Luca Baffa, Nina Eleanor Alter, Nouman Syed, Peter Story, Rahul Sharma, Rohit Menon, Seth Angell, Skyler Ferris, Travis Briggs, and Zeke Hunter-Green.

The translations for all supported languages were updated thanks to the work of many volunteers:

• Catalan: Benet (BennyBeat) R. i Camps, Joan Montané, John Smith
• Czech: Jan Papež
• German: Curtis Baltimore, Ettore Atalan, Martin Trebuch
• Greek: Dimitris Maroulidis
• French: AO Localization Lab
• Icelandic: Sveinn í Felli
• Italian: lsd-cat
• Norwegian: Øyvind Bye Skille
• Portuguese, Brasil: Guilherme, leilane, notmuchtohide
• Portuguese, Portugal: deeplow, notmuchtohide
• Russian: Adham Kurbanov
• Swedish: Jonas Waga
• Turkish: tekrei
• Chinese, Simplified: Kishin Sagume
• Chinese, Traditional: Chi-Hsun Tsai, Meng Pang Wang

Thanks to Erin McConnell and the Localization Lab for supporting this effort.

We are currently lacking active translators for Hindi and Romanian, which are at risk of being removed in the SecureDrop 2.8.0 release. If you speak one of these languages or know someone who does, please see our instructions on contributing translations.

This release incorporates Freedom of the Press Foundation contributions by: Kunal Mehta (release manager), Kevin O'Gorman (deputy release manager), Cory Francis Myers (localization manager), Nathan Dyer (communications manager), Alex, Giulio Berra, Gonzalo Bulnes Guilpain, Erik Moeller, Riley, Rowen S, and Michael Z.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!