Call for help: Q/A volunteers for 0.6


From Feb 27th to March 13th the 0.6 SecureDrop milestone is in Q/A. If you are interested in participating, please vote below. If there is enough interest detailed instructions will be provided to distribute the workload.

Yes, Q/A is tedious when you repeat the same manual steps for the 100th time. But if that’s your first time it is a great learning experience. It also is an opportunity to significantly help producing a quality release and discuss with the developers who will be eager to fix the bugs you file on that occasion.

  • Yes, I want to help with Q/A, count me in!
  • No, I unfortunately cannot but you have my full moral support.

0 voters


1 Like


That’s five of US: more than enough to deserve a little preparation :slight_smile: A very useful part of QA is to use the journalist interface as well as the source interface in conditions that are very close to production. The first step to do that is to start a staging environment.

I propose each of us does that and display a screenshot of the tor browser showing:

  • The source interface
  • The journalist interface displaying at least one submission

The screenshot must display the .onion URL of the journalist and source interface to show we did not run make dev instead :wink:


1 Like

Here are my screenshots as well as how I got them (more info at the virtual environment documentation):

  • vagrant destroy /staging/ # get rid of leftovers, if any
  • make build-debs
  • vagrant up /staging/
  • vagrant ssh app-staging
  • sudo -u www-data bash
  • cd /var/www/securedrop
  • ./
  • cat install_files/ansible-base/app-journalist-aths >> ~/Downloads/tor-browser_fr/Browser/TorBrowser/Data/Tor/torrc
  • ( cd ~/Downloads/tor-browser_fr/ ; ./start-tor-browser.desktop )
  • go to the .onion URL $(cat install_files/ansible-base/app-journalist-aths) in the tor browser
  • copy/paste credentials and OTP from # because ./ creates exactly the same user, password, OTP
  • go to the .onion URL $(cat install_files/ansible-base/app-source-ths)
  • submit a message
  • take a screenshot
  • go back to the journalist interface
  • reload
  • take a screenshot

I’m on it :slight_smile:

Here are my screenshots and the instructions I followed:

  1. make build-debs
  2. vagrant up /staging/
  3. vagrant ssh app-staging
  4. sudo su
  5. cd /var/www/securedrop/
  6. ./

Then exit from the vagrant ssh

copy cat install_files/ansible-base/app-journalist-aths and paste in~/Downloads/tor-browser_en/Browser/TorBrowser/Data/Tor/torrc
Start tor browser
The journalist link is given in install_files/ansible-base/app-journalist-aths and source link is in install_files/ansible-base/app-source-ths

Here are my screenshots:

1 Like

As I could not put both screenshots in one post, Here is the second one:

1 Like


QA started today and once you have a staging environment you are ready to run the QA steps. If this is your first time doing QA for SecureDrop, please ask questions in this thread or in gitter instead of adding to the QA issues. This way we will be able to answer any questions you may have and not interfere with more experienced developers.


I am getting an error saying there is no file what should i do ?

I am getting an error saying there is no file what should i do ?

It was renamed today sorry about that. I edited the references in this thread to avoid further confusion.

Source interface on my machine. I’m getting an Internal Server Error at the Journalist side. I’ll try to fix it and upload as soon as possible.

Edit: Everything up and running now

1 Like

I’ll start with the QA process now.

1 Like

Here are my screenshots.

1 Like

now ill start with the QA process.

1 Like

Onto Q/A


Version: SecureDrop 0.6~rc2

'✓' indicates "Tested and verified successfully"

- ’ indicates “Not tested”

Application Acceptance Testing

Source Interface

Landing page base cases
✓JS warning bar does not appear when using Security Slider high
✓JS warning bar does appear when using Security Slider Low

First submission base cases
✓On generate page, refreshing codename produces a new 7-word codename
✓On submit page, empty submissions produce flashed message
✓On submit page, short message submitted successfully
- On submit page, file greater than 500 MB produces “The connection was reset” in Tor Browser quickly before the entire file is uploaded
✓On submit page, file less than 500 MB submitted successfully

Returning source base cases
✓Nonexistent codename cannot log in
✓Empty codename cannot log in
✓Legitimate codename can log in
✓Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
✓Can log in with 2FA tokens
✓incorrect password cannot log in
✓invalid 2fa token cannot log in
✓2fa immediate reuse cannot log in

Index base cases
✓Filter by codename works
✓Starring and unstarring works
✓Click select all selects all submissions
✓Selecting all and clicking “Download all” works

Individual source page
✓You can submit a reply and a flashed message and new row appears
✓You cannot submit an empty reply
✓Clicking “Delete collection” and the source and docs are deleted
- You can click on a document and successfully decrypt using application private key

Basic Server Testing

-I can access both the source and journalist interfaces
-I can SSH into both machines over Tor
-AppArmor is loaded on app
-AppArmor is loaded on mon
-Both servers are running grsec kernels
-iptables rules loaded
-OSSEC emails begin to flow after install
-OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation
-Can successfully add admin user and login

1 Like

Although I’ve performed the tests under Basic Server Testing on a Debian machine, I haven’t performed them on an ‘Admin Tails Drive’. Thus I have marked them as untested.

1 Like