We’re pleased to announce that SecureDrop 2.9.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s new in SecureDrop 2.9.0?

For administrators

• Network performance: Added an option to enable Tor’s proof-of-work defenses for the Source Interface, to protect against network attacks. (Issue, Pull Request)
  • As of this release, new SecureDrops will have this feature enabled by default, and we encourage all current SecureDrop administrators to turn it on for their instances. While this measure can’t speed up the Tor network as a whole if it’s slow, it can protect your SecureDrop from being attacked specifically; and more onion services running with this feature helps improve the resilience of the Tor network.

For all users

• Accessibility: Added expanded labels and descriptions to aid navigation for visually impaired users (Issue, Pull Request)
• Security: Updated SecureDrop Release Signing Key with new expiry date of 2027-05-24 (Issue, Pull Request)
  • Note: SecureDrop is moving from a 1-year to a 3-year expiration term for the SecureDrop Release Signing Key.
• API feature: Support for HTTP range requests has been added to the Journalist API for the submissions and replies endpoints (Issue, Pull Request)

For developers

• Quality of life: Added support for development virtualenv in Debian 12 (Issue, Pull Request)
• Quality of life: Added random file generation in loaddata.py (Pull Request)
• Bugfix: Fixed an issue with date generation in loaddata.py (Issue, Pull Request)
• Quality of life: Added persistence for onion addresses created with make dev-tor (Issue, Pull Request)
• Dependency changes:
  • (Rust) sequoia-openpgp from 1.17.0 to 1.20.0 (Pull Request)
  • black from 22.3.0 to 24.3.0 (Pull Request)
  • pillow from 10.2.0 to 10.3.0 (Pull Request)

What administrators need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.9.0 automatically within 24 hours.

Please follow our upgrade guide, and get in touch with us if you require assistance: https://docs.securedrop.org/en/stable/upgrade/2.8.0_to_2.9.0.html

Acknowledgments

Thanks to Localization Lab for continued support with our translations.

We are currently lacking active translators for Hindi and Romanian, which are slated to be removed as supported languages in the SecureDrop 2.10.0 release. If you speak one of these languages or know someone who does, please see our instructions on contributing translations.

This release incorporates Freedom of the Press Foundation contributions by Nathan Dyer (communications manager), Micah Lee, Kunal Mehta (deputy release manager), Erik Moeller, Cory Francis Myers, Kevin O’Gorman (release manager), Francisco Rocha, andRowen S.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd;
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!