Release SecureDrop 0.5.1

[redshiftzero]

This is a tracking issue for the upcoming release of SecureDrop 0.5.1 - tasks may get added or modified.

Release: planned for January 16th, 2018.

SecureDrop maintainers and testers: As you QA 0.5.1, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them to the 0.5.1 milestone for tracking.

Prepare first release candidate (0.5.1-rc1)

• [x] Branch release/0.5.1 off develop - @redshiftzero
• [x] Prepare 0.5.1-rc1 tag - @redshiftzero
• [x] Build debs and put up 0.5.1-rc1 on test apt server - @conorsch

QA (0.5.1-rc1)

• [x] Test upgrade from 0.5 works on prod w/ test repo debs

Prepare next release candidate (0.5.1-rc2)

• [x] Prepare 0.5.1-rc2 tag - @redshiftzero
• [x] Build debs and put up 0.5.1-rc2 on test apt server - @conorsch

QA (0.5.1-rc2)

• [x] Test upgrade from 0.5 works on prod w/ test repo debs

Prepare next release candidate (0.5.1-rc3)

• [x] Prepare 0.5.1-rc3 tag - @redshiftzero
• [x] Build debs and put up 0.5.1-rc3 on test apt server - @conorsch

QA (0.5.1-rc3)

• [x] Test upgrade from 0.5 works on prod w/ test repo debs
• [x] Test clean install (not upgrade) of 0.5.1 works on prod w/test repo debs

Prepare next release candidate (0.5.1-rc4)

• [x] Update all screenshots in user guides - @redshiftzero
• [x] Final merge of translations - @dachary
• [x] Prepare 0.5.1-rc4 tag - @redshiftzero
• [x] Build debs and put up 0.5.1-rc4 on test apt server - @conorsch

QA (0.5.1-rc4)

• [x] Test upgrade from 0.5 works on prod w/ test repo debs

Prepare final release candidate (0.5.1-rc5)

• [x] Prepare 0.5.1-rc5 tag - @redshiftzero
• [x] Build debs and put up 0.5.1-rc5 on test apt server - @conorsch
• [x] Test upgrade from 0.5 works on w/ test repo debs

Release

• [x] Push signed tag - @redshiftzero
• [x] Build final Debian packages for 0.5.1 - @conorsch
• [x] Pre-Flight: Test install (not upgrade) of 0.5.1 works on prod w/ test repo debs - @emkll
• [x] Put final deb packages up - @conorsch
• [x] Publish blog post about 0.5.1 Debian package release and instructions for admins - @redshiftzero

Post-release

• [x] Merge release changes into master branch
• [x] Merge release changes into development branch

[redshiftzero]

In particular we should check for 0.5.1 (additional items might get added to the list):

• [ ] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).

Suggested test procedure:

1. upgrade to securedrop0.5.1-rc1,
2. sudo apt-get update on both servers,
3. verify 500 https://tor-apt.freedom.press/ trusty/main amd64 Packages is in the output of apt-cache policy tor

• [ ] Reboot both servers. Check restart of OSSEC server does not send "Ossec server started" or "Ossec agent started" alerts (#2701)
• [ ] Verify *.css.map files are not present (#2814)
• [ ] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)
• [ ] Verify you can send a test alert as an admin (#2771)

[redshiftzero]

Given that this is a minor release with fewer changes, here is a reduced test plan you can use as a checklist (if you think anything is missing, get loud):

0.5.1 specific

(Same items as previous comment)

• [ ] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• [ ] Reboot both servers. Check restart of OSSEC server does not send "Ossec server started" or "Ossec agent started" alerts (#2701)
• [ ] Verify *.css.map files are not present (#2814)
• [ ] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)
• [ ] Verify you can send a test alert as an admin (#2771)

Basic Server Testing

• [ ] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [ ] I can SSH into both machines over Tor
• [ ] AppArmor is loaded on app and mon
• [ ] Both servers are running grsec kernels
• [ ] iptables rules loaded
• [ ] OSSEC emails begin to flow after install
• [ ] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [ ] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [ ] On submit page, file less than 500 MB submitted successfully
• [ ] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [ ] Can log in with 2FA tokens

Individual source page

• [ ] You can submit a reply and a flashed message and new row appears
• [ ] Clicking "Delete collection" and the source and docs are deleted

[redshiftzero]

Test Results: 0.5->0.5.1-rc1 upgrade path

0.5.1-rc1 upgrade path QA

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• [x] Check restart of OSSEC server does not send alerts (#2701) -
• [x] Verify *.css.map files are not present (#2814)
• [ ] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769) - could not test due to bug #2827
• [ ] Verify you can send a test alert as an admin (#2771) - could not test due to bug #2827

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.5.1
+ 99c6267e Merge pull request #2828 from freedomofpress/update-apparmor-config-template
+ 42c0c10b Journalist interface: Add missing AppArmor rule for config.html
+ 51ada1d1 SecureDrop 0.5.1-rc1

Proposed at https://github.com/freedomofpress/securedrop/pull/2831

[kushaldas]

0.5.1 specific

(Same items as previous comment)

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• [x] Check restart of OSSEC server does not send alerts (#2701)
• [x] Verify *.css.map files are not present (#2814)
• [ ] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)
• [ ] Verify you can send a test alert as an admin (#2771)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.5.1
+ 683aec2e SecureDrop 0.5.1-rc2
+ 17bbe742 Merge pull request #2834 from freedomofpress/wip-dachary-0.5.1-update-doc-images
+ f6812b11 Merge pull request #2830 from freedomofpress/wip-dachary-0.5.1-i18n
+ 15f5a2b1 Merge pull request #2836 from freedomofpress/logo_config_apparmor
+ 18f04ab1 docs: create files needed to capture screenshots
+ 5b203478 Merge pull request #2837 from freedomofpress/wip-dachary-0.5.1-tests-key-generate
+ c333dfbd Added write to apache2 apparmor profile for logo.png
+ bdbed92a tests: timeout does not need to submit a document
+ 722575e7 tests: wait for source key generation in functional tests
+ c503fd9e i18n: translator contributor credits
+ 66729824 l10n: update nl Nederlands translation
+ efd567e8 l10n: update pt_BR Portuguese translation
+ 1b9ac5a6 l10n: update nb_NO Norwegian translation
+ 64b33e68 l10n: update fr French translation
+ decf0809 l10n: update es_ES Spanish translation
+ af43b324 l10n: update de_DE German translation
+ bccc1390 l10n: add zh_Hant Chinese translation
+ c45e639f l10n: extract and update translatable strings

Proposed at https://github.com/freedomofpress/securedrop/pull/2842

[emkll]

Test Results: 0.5.1-rc1 clean install

0.5.1-rc1 upgrade path QA (Prod VMs)

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• :x: Check restart of OSSEC server does not send alerts (#2701) - should be fixed in 0.5.1-rc3
• [x] Verify *.css.map files are not present (#2814)
• [x] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769) (with manual fix)
• [x] Verify you can send a test alert as an admin (#2771)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

Test Results: 0.5->0.5.1-rc2 upgrade path (Prod VMs)

0.5.1-rc2 upgrade path QA

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).

• :x: Check restart of OSSEC server does not send alerts (#2701) - Should be fixed in 0.5.1-rc3

• [x] Verify *.css.map files are not present (#2814)

• [x] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769) - :exclamation: It seems like apache cache settings Header set Cache-Control "max-age=3600" make it that the image isn't immediately updated in a journalist's browser cache (as url is the same)

• [x] Verify you can send a test alert as an admin (#2771)

  Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)

• [x] I can SSH into both machines over Tor

• [x] AppArmor is loaded on app and mon

• [x] Both servers are running grsec kernels

• [x] iptables rules loaded

• [x] OSSEC emails begin to flow after install

• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[b-meson]

Test Results: 0.5.0 -> 0.5.1-rc2 upgrade (hardware)

Test Results: 0.5->0.5.1-rc2 upgrade path

0.5.1-rc2 upgrade path QA

• [] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
  • I am not sure if this is working properly, will test on a clean 0.5 -> 0.5rc3 :man_shrugging:
• [x] Verify *.css.map files are not present (#2814)
• [x] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769) (see mickael's notes)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.5.1
+ cb21782c Merge pull request #2845 from freedomofpress/fix-autoversion-0.5.1
+ 5ac3c910 Use absolute filename in autoversion Jinja2 filter
+ 7cfb62d3 SecureDrop 0.5.1-rc3
+ 2d0bf694 Merge pull request #2838 from freedomofpress/fix_ossec_agent_started_on_boot
+ e3530d1e Merge pull request #2843 from freedomofpress/wip-dachary-0.5.1-key-generate-timeout
+ 1c3aecda tests: wait up to 60 seconds to generate a GPG key
+ e37133ae Fix error in alert ID for ossec agent start alert. Changed test case as it matched 501 instead of 503 (and thus the source of confusion?)

However a rather strange logo was inadvertently added at 7cfb62d3cbc50a3e3ae431f367e1ad30763338aa and I'll wait for it to be fixed before proposing to merge back in develop.

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.5.1
+ 362dbb0c Merge pull request #2850 from freedomofpress/wip-dachary-0.5.1-restore-logo
+ 0a0a2647 app: restore logo
+ cb21782c Merge pull request #2845 from freedomofpress/fix-autoversion-0.5.1
+ 5ac3c910 Use absolute filename in autoversion Jinja2 filter
+ 7cfb62d3 SecureDrop 0.5.1-rc3
+ 2d0bf694 Merge pull request #2838 from freedomofpress/fix_ossec_agent_started_on_boot
+ e3530d1e Merge pull request #2843 from freedomofpress/wip-dachary-0.5.1-key-generate-timeout
+ 1c3aecda tests: wait up to 60 seconds to generate a GPG key
+ e37133ae Fix error in alert ID for ossec agent start alert. Changed test case as it matched 501 instead of 503 (and thus the source of confusion?)

Proposed at https://github.com/freedomofpress/securedrop/pull/2851

[emkll]

Test Results: 0.5.0 -> 0.5.1-rc3 upgrade (hardware)

Test Results: 0.5->0.5.1-rc3 upgrade path

0.5.1-rc3 upgrade path QA

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• [x] Verify *.css.map files are not present (#2814)
• :red_circle: see https://github.com/freedomofpress/securedrop/issues/2853 Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.5.1
+ 7c84e8f1 SecureDrop 0.5.1-rc4
+ 17e8c2a9 Merge pull request #2854 from freedomofpress/wip-dachary-0.5.1-2853-custom-logo
+ 7a5ef14c Merge pull request #2852 from freedomofpress/wip-dachary-0.5.1-i18n-2
+ 66890eb1 Merge pull request #2846 from freedomofpress/docs-screenshots-update
+ 69804c6d app: always chmod u+w the logo in postinst
+ ef7260b0 l10n: update zh_Hant Chinese translation
+ c0050e56 l10n: update es_ES Spanish translation
+ 1f66b8c3 l10n: add it_IT Italian translation
+ 67010122 l10n: add tr Turkish translation
+ 60637a06 l10n: add zh_Hant Chinese translation for desktop icons
+ 0050c78b i18n: reduce supported languages duplication in docs
+ cee40666 User guides: Update screenshots for SecureDrop 0.5.1

Proposed at https://github.com/freedomofpress/securedrop/pull/2871

[ghost]

@redshiftzero here is a draft to help write the blog post:

The translations for all supported languages were updated thanks to the work of many volunteers:

• German: Anna Skaja, heartsucker., Ettore Atalan, kwadronaut
• Spanish: Anatoli, Camille Fassett, Daniel Arauz, Freddy Martinez, Jose, Pablo Di Noto
• French: Alain-Olivier, Loïc Dachary
• Norwegian: Allan Nordhøy, Øyvind Bye Skille
• Dutch: Anne M, kwadronaut, Yarno Ritzen
• Portuguese (Brasil): Bernardo Tonasse, Cecília do Lago, communiaa

And support for new languages was also added thanks to:

• Arabic: Ahmad Gharbeia, Ali Boshanab, ButterflyOfFire, Erin McConnell, Gabriele Kahlout, Jasmine Khalil, Jennifer Helsby, kwadronaut, Ramy Raoof, Scharik Yousif, Thalia Rahme
• Italian: Beatrice Martini, Claudio Arseni, Manuel D'Orso
• Turkish: T. E. Kalaycı, Volkan
• Chinese: Chi-Hsun Tsai, H.-L. Lee, Jin Lin Wright, Hong Feng, Shih-Chieh Ilya Li

We are specially grateful to localizationlab for their help reviewing every translated string to catch typos and errors that could confuse the SecureDrop users. Thanks to Erin M. most of the reviewers discovered SecureDrop and it is their volunteer expertise that allows us to support each language.

A number of new languages are in the works and anyone willing to help is welcome to contribute.

[heartsucker]

Minor note, I don't much care for my birthname and would rather be credited under my username.

[ghost]

@heartsucker fixed

[redshiftzero]

Thanks @dachary! 😄

[b-meson]

@dachary I was under the impression we also completed Swedish. Are we not merging because of those final strings didn't get translated because of the new UI added in 0.5.1?

[redshiftzero]

Upgrade testing: 0.5 -> 0.5.1-rc4

0.5.1 Specific Testing

• [x] Upgrade path: Tor apt repo configured as tor-apt.freedom.press (#2441).
• [x] Reboot both servers. Check restart of OSSEC server does not send "Ossec server started" or "Ossec agent started" alerts (#2701)
• [x] Verify *.css.map files are not present (#2814)
• [x] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769) [Upgrade path: Verified this works when there is already a custom icon set.]
• [x] Verify you can send a test alert as an admin (#2771)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rc4
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[redshiftzero]

@b-meson: Swedish was not ready in time for this release cycle (check out Weblate to see the untranslated strings - some of which were indeed 0.5.1 UI changes)

[ghost]

@b-meson like @redshiftzero said :-) The next string freeze is February 27th and we can ping the translators then to bring it back to 100%.

[kushaldas]

Upgrade testing: 0.5. -> 0.5.1-rc5

0.5.1 Specific Testing

• [x] Upgrade path: Tor apt repo configured as tor-apt.freedom.press (#2441).
• [x] Reboot both servers. Check restart of OSSEC server does not send "Ossec server started" or "Ossec agent started" alerts (#2701)
• [x] Verify *.css.map files are not present (#2814)
• [x] Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)

Note: the updated image showed up only after a refresh of the page.

• [x] Verify you can send a test alert as an admin (#2771)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rc5
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[msheiny]

Test Results: 0.5.0 -> 0.5.1-rc5 upgrade (hardware)

0.5.1-rc5 upgrade path QA

• [x] Upgrade path: Tor package is installed from the apt mirror, interfaces come up (#2441).
• [x] Verify *.css.map files are not present (#2814)
• [x] see https://github.com/freedomofpress/securedrop/issues/2853 Verify as an admin you are able to update the SecureDrop logo via the web app (#2769)

Basic Server Testing

• [x] I can access both the source and journalist interfaces after upgrade and it is upgraded to 0.5.1-rcN (where N is the number of the release candidate)
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app and mon
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded

Command Line User Generation

• [x] Can successfully add admin user

Application Acceptance Testing

First submission base cases

• [x] On submit page, file less than 500 MB submitted successfully
• [x] On submit page, short message submitted successfully

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] Clicking "Delete collection" and the source and docs are deleted

[msheiny]

on a smaller note - i was having trouble with the send ossec test on rc5 but then i realized that functionality was broken previously for me. so 👍 for getting #2748 in after this release

[redshiftzero]

0.5.1 was released (https://securedrop.org/news/securedrop-051-released), and all instances are back up on SecureDrop 0.5.1, closing