From 1ce5b58b5f85b397e93c0bf04d89684441031d77 Mon Sep 17 00:00:00 2001
From: Maeve Andrews <maeve@freedom.press>
Date: Wed, 3 Mar 2021 12:54:12 -0500
Subject: [PATCH 01/12] [TEST] Don't set MIME type to application/octet-stream

---
 docker/nginx.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker/nginx.conf b/docker/nginx.conf
index 0e6a3a5..cdc3b1a 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -20,7 +20,6 @@ http {
         location / {
             root /opt/nginx/root;
             index index.html;
-            default_type application/octet-stream;
         }
     }
 }

From c5c8831bc3af0e3fe218cd37b4e0c74b3fb22bd0 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 26 May 2021 11:31:03 -0700
Subject: [PATCH 02/12] Updates release pubkey JWK

Required for the 2021 key rotation for the SD release signing key.
Used the scripts in the repo to convert the ascii-armored pubkey to a
jwk.
---
 release-pubkey.jwk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-pubkey.jwk b/release-pubkey.jwk
index b06a1c0..8e84450 100644
--- a/release-pubkey.jwk
+++ b/release-pubkey.jwk
@@ -1 +1 @@
-{"kty": "RSA", "e": "AQAB", "n": "p10BbUVc5Xj2S_-MH3bACNBaISo_r9e3PVPyTTjsGsdg2qSXvqUO42fBtpFAy0zUzIGS83v4JjiRdvKJaZTIvbC8AcpymzdsTqujMm8RPTSy3hO_8mXzGa4DEsIB1uNLnUWRBKXvSGCmT9kFyxhTpkYqokNBzafVihTU34tN2Md1xFHnmZGqfYtPtbJLWAa5Z1M11EyR4lIyUxIiPTV9t1XstDbWr3iS83REJrGEFmjG1-BAgx8_lDUTa41799N2yYEhgZud7bL0M3ei8s5OERjiion5uANkUV3-s2QqUZjiVA-XR_HizXjciaUWNd683KqekpNOZ_0STh_UGwpcwU-KwG07QyiCrLrRpz8S_vH8CqGrrcWY3GSzYe9dp34jJdO65oA-G8tK6fMXtvTCFDZI6oNNaXJH71F5J0YbqO2ZqwKYc2WSi0gKVl2wd9roOVjaBmkJqvocntYuNM7t38fDEWHn5KUkmrTbiG68Cy56tDUfpKl3D9Uj4LaMvxJ1tKGvzQ4k_60odT7gIxu6DqYjXUHZpwPsSGBq3njaD7boe4CUXF2K7ViOc87BsKxRNCzDD8OklRjjXzOTOBH3PqFJ93CJ-4ECE5t9STU20aZ8E-2zKB8vjKyCySE4-kcIvBBsnkwVaJTPy9Ft1qYybo-soXEWVEZATANNWklBt8k"}
+{"kty": "RSA", "e": "AQAB", "n": "vsC7BNafkRe8Uh1DUgCkv6RbPQMdJgAKKnWdSqQd7tQzU1mXfmo_k1Py_2MYMZXOWmqSZ9iwIYkykZYywJ2VyMGve4byj1sLn6YQoOkG8g5Z3V4y0S2RpEfmYumNjTzfq8nxtLnwjaYd4sCUd5wa0SzeLrpRQuXo2bF3QuUF2xcbLJloxX1MmlsMMCdBc-qGNonLJ7bpn_JuyXlDWy1Fkeyw1qgjiOdiRIbMC1x302zgzX6dSrBrNB8Cpsh-vCE0ZjUo8M9caEv06F6QbYmdGJHM0ZZY34OHMSNdf-_qUKIV_SuxuSuFE99tkAeWnbWpyI1V-xhVo1sc7NzChP8ci2TdPvI3_0JyAuCvL6zIFqJUJkZibEUghhg6F09-oNJKpy7rhUJq7zZyLXJsvuXnn0gnIxfjRvMcDfZAKUVMZKRdw7fwWzwQril4Ib0MQOVda9vb_4JMk7Gup-TUI4sfuS4NKwsnKoODIO-2U5QpJWdtp1F4AQ1pBv8ajFl1WTrVGvkRGK0woPWaO6pWyJ4kRnhnxrV2FyNNt3JSR-0JEjhFWws47kjBvpr0VRiVRFppKA-plKs4LPlaaCff39TleYmY3mETe3w1GIGc2Lliad32Jpbx496IgDe1K3FMBEoKFZfhmtlRSXft8NKgSzPt2zkatM9bFKfaCYRaSy7akbk"}

From 77a1cdf3b01653074ec49d7e343f45010f2d93c9 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 27 May 2021 09:51:01 -0700
Subject: [PATCH 03/12] Updates PEM pubkey for new key

Generated the PEM format public key component via:

  openssl rsa -in key.pem -outform PEM -pubout -out public.pem

where `key.pem` is the RSA privkey in PEM format (via `openpgp2pem`).
---
 public_release.pem | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/public_release.pem b/public_release.pem
index 8b4ecc0..6084b27 100644
--- a/public_release.pem
+++ b/public_release.pem
@@ -1,15 +1,14 @@
 -----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp10BbUVc5Xj2S/+MH3bA
-CNBaISo/r9e3PVPyTTjsGsdg2qSXvqUO42fBtpFAy0zUzIGS83v4JjiRdvKJaZTI
-vbC8AcpymzdsTqujMm8RPTSy3hO/8mXzGa4DEsIB1uNLnUWRBKXvSGCmT9kFyxhT
-pkYqokNBzafVihTU34tN2Md1xFHnmZGqfYtPtbJLWAa5Z1M11EyR4lIyUxIiPTV9
-t1XstDbWr3iS83REJrGEFmjG1+BAgx8/lDUTa41799N2yYEhgZud7bL0M3ei8s5O
-ERjiion5uANkUV3+s2QqUZjiVA+XR/HizXjciaUWNd683KqekpNOZ/0STh/UGwpc
-wU+KwG07QyiCrLrRpz8S/vH8CqGrrcWY3GSzYe9dp34jJdO65oA+G8tK6fMXtvTC
-FDZI6oNNaXJH71F5J0YbqO2ZqwKYc2WSi0gKVl2wd9roOVjaBmkJqvocntYuNM7t
-38fDEWHn5KUkmrTbiG68Cy56tDUfpKl3D9Uj4LaMvxJ1tKGvzQ4k/60odT7gIxu6
-DqYjXUHZpwPsSGBq3njaD7boe4CUXF2K7ViOc87BsKxRNCzDD8OklRjjXzOTOBH3
-PqFJ93CJ+4ECE5t9STU20aZ8E+2zKB8vjKyCySE4+kcIvBBsnkwVaJTPy9Ft1qYy
-bo+soXEWVEZATANNWklBt8kCAwEAAQ==
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvsC7BNafkRe8Uh1DUgCk
+v6RbPQMdJgAKKnWdSqQd7tQzU1mXfmo/k1Py/2MYMZXOWmqSZ9iwIYkykZYywJ2V
+yMGve4byj1sLn6YQoOkG8g5Z3V4y0S2RpEfmYumNjTzfq8nxtLnwjaYd4sCUd5wa
+0SzeLrpRQuXo2bF3QuUF2xcbLJloxX1MmlsMMCdBc+qGNonLJ7bpn/JuyXlDWy1F
+keyw1qgjiOdiRIbMC1x302zgzX6dSrBrNB8Cpsh+vCE0ZjUo8M9caEv06F6QbYmd
+GJHM0ZZY34OHMSNdf+/qUKIV/SuxuSuFE99tkAeWnbWpyI1V+xhVo1sc7NzChP8c
+i2TdPvI3/0JyAuCvL6zIFqJUJkZibEUghhg6F09+oNJKpy7rhUJq7zZyLXJsvuXn
+n0gnIxfjRvMcDfZAKUVMZKRdw7fwWzwQril4Ib0MQOVda9vb/4JMk7Gup+TUI4sf
+uS4NKwsnKoODIO+2U5QpJWdtp1F4AQ1pBv8ajFl1WTrVGvkRGK0woPWaO6pWyJ4k
+RnhnxrV2FyNNt3JSR+0JEjhFWws47kjBvpr0VRiVRFppKA+plKs4LPlaaCff39Tl
+eYmY3mETe3w1GIGc2Lliad32Jpbx496IgDe1K3FMBEoKFZfhmtlRSXft8NKgSzPt
+2zkatM9bFKfaCYRaSy7akbkCAwEAAQ==
 -----END PUBLIC KEY-----
-

From 23248d63e8e2e14df8dd010f26639bfbab4d01a9 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 27 May 2021 09:55:42 -0700
Subject: [PATCH 04/12] Resigns rules with new 2021 key

---
 default.rulesets.1622134324.gz       | Bin 0 -> 1691 bytes
 index.html                           |   4 ++--
 latest-rulesets-timestamp            |   2 +-
 rulesets-signature.1622134324.sha256 | Bin 0 -> 512 bytes
 4 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 default.rulesets.1622134324.gz
 create mode 100644 rulesets-signature.1622134324.sha256

diff --git a/default.rulesets.1622134324.gz b/default.rulesets.1622134324.gz
new file mode 100644
index 0000000000000000000000000000000000000000..6ee71e762f9109b98d05f2864826ed8a83b2ae97
GIT binary patch
literal 1691
zcmV;M24wjkiwFP!000001D%&$kKDEuhX0B%*M{SzC^7X-VH-_sv`yP=il8-IfTT!~
z62D1Flnnp(a@KKbO=o8f-3%~1d=L2OeDLsNbxKmRn6P%Im(^Vhz+DY%0H0N-z&H!c
zP*x15?-6Qv`v=bJj<OebcYw6C=KSt^LdhK`-xEZ5jql*;ESwaJEXAUG|M6t7E*?&x
zeevRD^^0KDTTDk5s((y4Bo@?qdUi@U^emlTzJJ*EJTf{3)&=XHCmWtyBds}oc=q79
zZ2EZO!Rq4kKO!afK7RP)%kRE>Tv*)OviZEX?4xVD3<%9(6?7GCZyVH#ywYKVOI8-f
zW@d9I&A8M!=w(Z5GuUnIeslKe!>4DzGrfBKW_Nf@=yN<BI{q!`9-#9WZdfEqsU_Su
zL2FIeLb|ld%@BneF@bu7vPLUfxwSC}r2TaOo|thqmfz~t{hsB2rei=)>GxDgt|OlX
zX<E<=HYILYw?-pEcG;F7#BKCzu*$B?EnC)EGJ}wOjLMb|fxAL-f%IklDAH~H9x3a(
z?im~>H#W9yna{KX0dh~Ba-M)lx^Cjl2FwC`Foet+q^3uZ9HxTpX&#o2f!vVp8SL1h
zDG@xvT5065%%NRp6kEV*poQs&$lYK-%SL5KZ+YJ$)LyTa*QMUAseWWiX>4{Z<iXT`
zwj4tG1`m6(QuB*8bGJ1dsHXSJz$qI#r!X>NsGH6-lsBsNY#s<g3y#L%`g$3?R@Rmp
z41M(zTjHMVi|H8EZS_U0`fkC&;^3icgW(1U1!<U7w}xq@pa&4vjZay3by@_Qd(=gL
zJ>UKm-MJ;0j)lnfv0`TvK7?~ideIJ|otJXlNC=i2t#w`|9}J;zl3LZdo+fFuQ%OYa
zr0<+iXl}0O-48YpwvP&bSUSXTOL`HH77smOtt`P<8Y_jL<_@wJCYy;eq6OHF7GkM;
z?4n&5Fa3_;s|@FR^G9U~tFY;+zhbF&JV~(rY%NAzY=^+U$;Y0sTtt&DUwtY`HUulO
zcOVP{R?QeJ>>2RD%WblTgJB}0prHk*zd=|=f=*uahV!|8TR+ToQ-9I59fTD3GD3*P
zS~&ujMNmJDGPkt%b|ljp0i1Q#WYgG#ewZn^o_TL4&i`Jnz#We$i|2ds5X^1yp2WEY
zIGu2x*HIdl+i4<eNi?lfpnbchPPC+i1os{+*@T5*ThOnPyfZP$G$mG*{6CLwru@Z8
z&aAq(RAN=#Q+b{hE1b%J7v}Q8tACne4^gK5h$nrF&&B6Ghd#p74)!0S8R?2W?q?I`
z6&tiRCT)TFXn-zt=ao*@!qyKHa5O10Zrhgf^;UmQ(|4xKt(3WRnWyrL;b@{h;ove;
zb2kl5lfeLx0)9;sNR*{@TzMt~!Caa;mpO1<x^8n~B%!N^>zVq_%;gavdraALy6waD
zmFZBlp3?8B7#K&E6=Hd7Lyvg5!z@oDW_HkMQDkXaR5~e0Bn(RCI1F|*+x4uKKmYCD
zZ~t;J*veoxq42Tpe_OmKsrzK93KEGnhg904<7}fW46yUO<_jO|L5m<Z(8$KEF6a$D
z)*Z`SQT@w?vHIowTHEoM_2C6~2<N8uA}&Kc&XAF5>ZzWVOjB+oMOzlA4kjlEqLp>(
z44VK2OgBv`&FXp){q*yn_XuG;cKpY57xiDGEm4yk(a{YU>d|G@l}<=utG$ZRL_8{Q
z_)_;qxuNM59s28o(LFZR4*?r0Bem5V5y~E__LF(!^vn7otS9w*Jko%EG<fXe>OJ!i
zwN^G})l0i#w?-~|SejhFI42wLrV-+;CHZ=u-6zJek+_T)Q;?h7ap})%hnQ|^_dG+6
z1ln2Sd06Yv!t?7x;I__7-}BmRyq@JaM^FcVXWf(nD%Ws&q+K&A-h|0evG3JonLaEZ
z>(o!k_dK&xSuuncv(EF}O>@h#Swbcp_FEK4&4_0k4Of6s*^Mbt!s#PCwj@Tf)qP>v
z6MZ(svT_XRDg8xB1&xO^j2Stc1hEs~V`76TlOt%bQFGRQ2CHR!(`FfQhQ1Ty^}FYM
zrT&VekfuMs5C3mqT7I`39-F?!#YND#(b?gaTUZ{2tFKqXyy%sh%9xbFL<{1$ChoKw
zT@#{0jSS88p#3UjOp2Aq+`>ZjN_Km^udP@f8;QQn$sTdEJ;@xd5wE~+cGEq=0XA~*
ldH{0{i^p(soA*GX=m)gSXrbNLh##s?{{;bEqP;;B004S@PQw5I

literal 0
HcmV?d00001

diff --git a/index.html b/index.html
index 7c086fa..2cdb4f4 100644
--- a/index.html
+++ b/index.html
@@ -1,5 +1,5 @@
 <html>
-    <a href='rulesets-signature.1622054201.sha256'>rulesets-signature.1622054201.sha256</a><br>
+    <a href='rulesets-signature.1622134324.sha256'>rulesets-signature.1622134324.sha256</a><br>
     <a href='latest-rulesets-timestamp'>latest-rulesets-timestamp</a><br>
-    <a href='default.rulesets.1622054201.gz'>default.rulesets.1622054201.gz</a><br>
+    <a href='default.rulesets.1622134324.gz'>default.rulesets.1622134324.gz</a><br>
 </html>
diff --git a/latest-rulesets-timestamp b/latest-rulesets-timestamp
index 536836b..b90563c 100644
--- a/latest-rulesets-timestamp
+++ b/latest-rulesets-timestamp
@@ -1 +1 @@
-1622054201
+1622134324
diff --git a/rulesets-signature.1622134324.sha256 b/rulesets-signature.1622134324.sha256
new file mode 100644
index 0000000000000000000000000000000000000000..09faf2ea92ea3727118b3d721409ead93658f107
GIT binary patch
literal 512
zcmV+b0{{J<L@Wu_Ty;T2mU4Ix0BG`l5xt5C77^+rB%r=ErC7o=nYMrw_-xP61;wAM
z^|&TM?THDiMBlVh7nlw9_fc_|uzhT_jfKThf*sQJkz{stR)MtAC@}8enb73<UlYGE
zzlk*1>qQP%)>Co_52aB2T+_phLjfx4ly4(wv~XBaOg!?Yx{I7KSCc>Ngk4kYRt3q&
z`O<)LQLM^5>C{}D-sF0Q^a52)^;w`hVe9!%fNufTUHw5yCC~8l+H*<+(2DKFYX6KR
zp3_*Z%<fxLiDimdP+hsMv+ET_--4Xj55%n+gz&F_I-6%ZCrExbKFw?|k%HK3!1Rob
zv9gxMVMJ^>DI10n1ppnTW#bWnVn@y17k1$l=fXw*ry`e<R=o%BZQ$tybCNL=J^BW#
z8q`ZrGxdPY33aN{hS0#I2F3GSX57Jm;lm4^QnM6$%T!d4hxbLufkaI_08*vuNAyCC
zX@~@>BqKAQs5P$I4~O*y3}7mX^D@bsi&Rcp($rhyO=@(bt9D_l6hOX5E=>YF#KjoA
znEFJ2nP0sQqBbrHWJIzeU{L0s`TR8(7{d^=-{&`Z^+BTl`74xXuyZ}A1QH}0S)k?k
zSX(jh)5=I}Z%AdN6bz4%!bpok-7jHO2-Vu5Z$;HW(AJn5%Q*c&xRRmviqo}58q`_`
C^#51@

literal 0
HcmV?d00001


From 03b050f4cc9607bb5e90e72f60032ff79325a719 Mon Sep 17 00:00:00 2001
From: ro <ro@freedom.press>
Date: Mon, 14 Jun 2021 09:55:22 -0400
Subject: [PATCH 05/12] WIP- add Forbidden Stories to ruleset

(cherry picked from commit 060948afb143195ad17755a4389a8ccda9cc60f3)
---
 onboarded.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/onboarded.txt b/onboarded.txt
index 59c92cf..beb612a 100644
--- a/onboarded.txt
+++ b/onboarded.txt
@@ -23,3 +23,4 @@ whistlebloweraid.org,whistlebloweraid.securedrop.tor.onion
 sec.theglobeandmail.com,theglobeandmail.securedrop.tor.onion
 www.nrk.no,nrk.securedrop.tor.onion
 img.huffingtonpost.com,huffpost.securedrop.tor.onion
+forbiddenstories.org,forbiddenstories.securedrop.tor.onion

From c72753c8a637b85588f030b49483ece4c2f5e105 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Wed, 30 Jun 2021 11:59:29 -0400
Subject: [PATCH 06/12] signed updated 2021 branch including forbidden stories
 and torstar changes

---
 default.rulesets.1625068418.gz                   | Bin 0 -> 1756 bytes
 index.html                                       |   4 ++--
 latest-rulesets-timestamp                        |   2 +-
 rulesets-signature.1625068418.sha256             |   4 ++++
 .../forbidden-stories-securedrop-ruleset.xml     |   5 +++++
 rulesets/toronto-star-securedrop-ruleset.xml     |   2 +-
 6 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 default.rulesets.1625068418.gz
 create mode 100644 rulesets-signature.1625068418.sha256
 create mode 100644 rulesets/forbidden-stories-securedrop-ruleset.xml

diff --git a/default.rulesets.1625068418.gz b/default.rulesets.1625068418.gz
new file mode 100644
index 0000000000000000000000000000000000000000..de1b81a09dd8015fea924b11da9ff1156b6d798e
GIT binary patch
literal 1756
zcmV<21|#_&iwFP!000001D%&!kKDEufd7gx&&Fm=QIg}A!Zw=NXqz_K6hUja07;P)
zCEiI%qzwP}a@KKbO=ouvy)3Zj@SNeNbLGeC6osN8B4tl6tLH6fZrc~|`HN@O$x}u>
z)r1zssbK^+?QKhOgIk1O)D+_9w+Nx;_WO=8h}etoA^HBr>1;Sl8fXl~?)}G;Myhx?
zf%f+HW%cVotG9?u)K@>x$VcjBK0P}{<T;I}m+$Y7-2_TzPkV3dO*H<-Xkql}!?SzG
z<<Q3y^F|e){~2Pm@56^bz5MRGhYgE+Qx2ccmUASx>)3UR&jZOr%T3d@L&{{_;F_d?
zp;_qC3q7qh@@m~;Zbq}^{eK74xi2h*$9Z+4eQnB1WG(DffP-2?Ov!3_;j5MnTM
zjaN!xy5c@&v1u&3W|%=eK~Z<P%gmVIhfcZc04!2%O(=h>S9g1s|EZ1vJ!QYAiXu;J
z8A^@;KF~QbP5T`5;FC?J1R-pb%ic(nsa?0ElAyZl#6wi3d<fJRk_)6S@}o$P+wYN*
zs%uW+G~1~$ZA)DuJ@Ak@Vx@H$1l;#CYc`-)$ie6nZ8|wWfMgLF=$__YbPVJX(>;Tk
z`fiRGO|X`#b4VoL=A{cQpfyl~=3`)X)S#u4G?O!ow_Vp>ua?)P-i@w)q*5xRcP#i`
z#XoBfA$@~~Jz1&wRq3VQ8U|#;-8wQt$KFcR>0zv!UN?j_vUPMBao4RVXpQRYW%ODa
zQ)<xj>L<E}J=qu4F{;O{FJi^}6?ucagSPdWX)s7g{3848=S%<x5Y~;0N%eJH2fFaC
z5AJ%t{W;ikOVB;_f$n2P&nk2X=P}cZb`Z?6mg@$Lk=RJB(mFe@F@dvCvQG6p3$3h-
zLr_+@-VU-`n(KM@gYlT|qr&b*hZr6+y@*GPMh<8zN-);Oh{4TE4`~adNm%Nk1;|VW
zBB404!K{>(en-)R45IH#Ozz6hi7Pnw+VEL<80={$dql=T!<?N#uagBZg?f}k(hLU+
zgbst<=mepw$u<qH-WW4(0`2vbJFf;mN`q;IbYJ}q3Atm81LbFJQL3Ulg!oN9_Jn2D
z&Z;EVT<U1_W=PHgKaNN?lQ)o4;D8g`Y%~MojHiM47Igf25bp`g*3*lN_IJM5@AAW3
zkJ?`hCJP}!Tm%Tasg@SQbsdPCCy`photf~Q1AvQ43U3NIz{iDv>&5kUX6zqj%I|oF
zB0P`&LokmU?@6p(fmIRllqaESYUdf}QcFrjPk5VSKeV`n1aSw}r2R^fDd<;8-j&1`
zagMYqm2lopb@>-XvC!(y5P@WMN5pv@u23vHtY69pul}iv-Uku)TdZ&)+zg-39Qp`P
zJJ^4SW+E9m#24+CjC7Y99XC&1&_I>e;-rekz}Ag3up~-6ZQB;p^=Woa(|5Y8=7idK
znWy55;%K5i;ove;Q$LSQlfVc%30#gdh=j&GWtQ-W5fi#jW!24V-*0x9u<z^fdZxb9
zOL^xAjtIRW+df=hsSZW!Df>MY1=B>6>}c9r&pTGev|({V)QqZIC0?7hE5iar>_;h5
z7)O)!c0FswFMt2{+rM7y?!udGkm%SPc-(kTQuAnt^r9Qu<YQ@zmeGw+Kf>OznyqZA
zM>Y6i1C3~Gwq9-Uq3&2#r|MtEPt~vI2kDMS=le(MA)H5TFXA%R(*h};XHL|-CK6L4
zNVlb-tG!MUf?z})drfCR098#BOS8IOL_huVmpy`?j$QvDyNmj-yDbtOEmpyf2&%~@
z*_Td8V5^)AK?gKRr`cL_E$!HFNk)Es5Z@tP{os)%A`nx(8GJcYhWZXCF!Duy2<u7v
zJsxfVpER0y$j(s*yVi(CXSKE&*&LYQurxWoS}U5ej!Y13El$_->@HG<v_NIWn7!D<
zj!S)(9b$UacF!}WfT39wTE<-a7M>qi18VEEa?WbKv3e2H5<u+%T2xaCsEpzGK)a@7
zc;jbHhJCLtVsbA&)~TN`-}5Y1CP_QA>bxvVKQAp!di4o2$hR<ba_LwyK{E*`5&aY+
z!Hhh>V@hH~Qx;w1_e7r+p-7G)J!QXV%43Z?&sC`uLoi-8zcOrK-;MyGE)MH#J%ZVl
z=W!3ZrCt)T%L65K9;v^fFbK`hPvHMsnASgZhu5ZWad8nerd6`2Wd@daZ+3Oo)D2w9
zxvWVE%tS6}%8^-RC)@ZSyGHotdeD9wM2M1>_v%W0^-A=6ysx!L99xOL&B-2dG8`uc
yb3hrm&1{Ny$iqgAPK{tmesu`Wc5@DhF1WE<mu@Bf*N7jgPyYpGKXtn#6#xLMHD{*)

literal 0
HcmV?d00001

diff --git a/index.html b/index.html
index 2cdb4f4..615dd51 100644
--- a/index.html
+++ b/index.html
@@ -1,5 +1,5 @@
 <html>
-    <a href='rulesets-signature.1622134324.sha256'>rulesets-signature.1622134324.sha256</a><br>
+    <a href='rulesets-signature.1625068418.sha256'>rulesets-signature.1625068418.sha256</a><br>
     <a href='latest-rulesets-timestamp'>latest-rulesets-timestamp</a><br>
-    <a href='default.rulesets.1622134324.gz'>default.rulesets.1622134324.gz</a><br>
+    <a href='default.rulesets.1625068418.gz'>default.rulesets.1625068418.gz</a><br>
 </html>
diff --git a/latest-rulesets-timestamp b/latest-rulesets-timestamp
index b90563c..f7a7f10 100644
--- a/latest-rulesets-timestamp
+++ b/latest-rulesets-timestamp
@@ -1 +1 @@
-1622134324
+1625068418
diff --git a/rulesets-signature.1625068418.sha256 b/rulesets-signature.1625068418.sha256
new file mode 100644
index 0000000..8a4f0e4
--- /dev/null
+++ b/rulesets-signature.1625068418.sha256
@@ -0,0 +1,4 @@
+Z»î`„áR½ìËÝ‡~°ƒ;võ¢:ƒS²dN©5
+÷‡Id?ø‚™äe_ò™î¼­Ø £8©Õ·xÖ]tæ›ÏŠçG"Aù&¹xùæá­d‘@{[jxÚ´ nßIyp¹9êÝ€™³ÑQf“‹U	â<]P+ãìÝ((™W)ó9T6¹à“`2Ž³í¤ÞØÂ,ò8î`9­û@0='‘CÅ¸á
+-Éª0btˆlPA¬E²K‡|h`òYÜ/ýÅysnú'‰Øâò´P†r7ÂC(ßºËM%šËÛb‹˜ü`^[“‹â©7Ó¡è*_l;»M8A‘|Ïdnþét„@‹¯cE@`dÏˆö>@ÔžŸÜŠ‘æÁ°úÀ©]kyN¥¥K{3Fa?pVÅ›;âõvþ¥}Â\;BÔæ²ûË·”‹4]ÈOµë4DÅ”¸'Ýpw¬Ž„§¿S~PÊÞúÉbŒ7;U@¤5.4LÍž¡ýÈŠÊswŠôØ6`¹!Q|€CÑ´7ÕCååå›ý=íõïÌ·Þéü£'ð¥Ide?¡³Úb¾ê…-…›:ÍbdÎ›/7aïú1þ	ùƒz83·Æ…±Ë$w‡tÂãBYjË3ìáë·o.ùaRàöYR½Æ:¹÷WË!¡
+Jfë}ï·
\ No newline at end of file
diff --git a/rulesets/forbidden-stories-securedrop-ruleset.xml b/rulesets/forbidden-stories-securedrop-ruleset.xml
new file mode 100644
index 0000000..75d16d2
--- /dev/null
+++ b/rulesets/forbidden-stories-securedrop-ruleset.xml
@@ -0,0 +1,5 @@
+<ruleset name="Forbidden Stories">
+	<target host="forbiddenstories.securedrop.tor.onion" />
+	<rule from="^http[s]?://forbiddenstories.securedrop.tor.onion"
+    to="http://fg25fqpu2dnxp24xs3jlcley4hp2inshpzek44q3czkhq3zffoqk26id.onion" />
+</ruleset>
diff --git a/rulesets/toronto-star-securedrop-ruleset.xml b/rulesets/toronto-star-securedrop-ruleset.xml
index 397c25e..e0cccf4 100644
--- a/rulesets/toronto-star-securedrop-ruleset.xml
+++ b/rulesets/toronto-star-securedrop-ruleset.xml
@@ -1,5 +1,5 @@
 <ruleset name="Toronto Star">
 	<target host="torontostar.securedrop.tor.onion" />
 	<rule from="^http[s]?://torontostar.securedrop.tor.onion"
-    to="http://5rmajtjkx7pathbou2fktejnmai25anlvxmqv2yoefzmnwkax4qdhkyd.onion" />
+    to="http://yj3b7rgmglcocbbvzrwfbo4d6j2aa7thwupra4yqutbd27v3vxcpvgid.onion" />
 </ruleset>

From 1a781a261666157bdd18f9efbc15b162114b16e5 Mon Sep 17 00:00:00 2001
From: Maeve Andrews <maeve@freedom.press>
Date: Wed, 3 Mar 2021 12:54:12 -0500
Subject: [PATCH 07/12] Don't set MIME type to application/octet-stream

(cherry picked from commit d380d4b866c83e7d8cf07c1f8d829597055ea812)

From 8153b38b31e3247849e6ff2881f1f940ec7bd3b6 Mon Sep 17 00:00:00 2001
From: Maeve Andrews <maeve@freedom.press>
Date: Tue, 22 Jun 2021 12:24:11 -0400
Subject: [PATCH 08/12] Explicitly redirect requests with no or multiple
 trailing slashes

(cherry picked from commit aae0127123b9ccf90d2d9a78ac9cf665762f6b6b)
---
 docker/nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker/nginx.conf b/docker/nginx.conf
index cdc3b1a..80d3340 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -17,9 +17,12 @@ http {
         uwsgi_temp_path /opt/nginx/run/uwsgi_temp;
         scgi_temp_path /opt/nginx/run/scgi_temp;
 
+        merge_slashes off;
+
         location / {
             root /opt/nginx/root;
             index index.html;
+            rewrite ^/https-everywhere($|//+)(.*) /https-everywhere/$2 permanent;
         }
     }
 }

From fcae17005aba45eb6170819491a17eb10f1fb183 Mon Sep 17 00:00:00 2001
From: Maeve Andrews <maeve@freedom.press>
Date: Wed, 30 Jun 2021 17:31:06 -0400
Subject: [PATCH 09/12] Account for external 2021 path in the nginx redirect

---
 docker/nginx.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docker/nginx.conf b/docker/nginx.conf
index 80d3340..c5ca389 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -22,7 +22,9 @@ http {
         location / {
             root /opt/nginx/root;
             index index.html;
-            rewrite ^/https-everywhere($|//+)(.*) /https-everywhere/$2 permanent;
+            # This line has been adjusted for the temporary different external URL.
+            # Don't include this change in the main branch.
+            rewrite ^/https-everywhere($|//+)(.*) /https-everywhere-2021/$2 permanent;
         }
     }
 }

From babb74af759204cf7e403840c6b2b2ee2a38fd8e Mon Sep 17 00:00:00 2001
From: ro <ro@freedom.press>
Date: Tue, 6 Jul 2021 13:32:35 -0400
Subject: [PATCH 10/12] Add Al-Jazeera (English) investigations unit to ruleset
 (WIP, requires signing)

(cherry picked from commit adbf810b903b547d698ad5c13ac2ab9cfd1291b0)
---
 onboarded.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/onboarded.txt b/onboarded.txt
index beb612a..4716f91 100644
--- a/onboarded.txt
+++ b/onboarded.txt
@@ -24,3 +24,4 @@ sec.theglobeandmail.com,theglobeandmail.securedrop.tor.onion
 www.nrk.no,nrk.securedrop.tor.onion
 img.huffingtonpost.com,huffpost.securedrop.tor.onion
 forbiddenstories.org,forbiddenstories.securedrop.tor.onion
+webapps.aljazeera.net,ajiunit.securedrop.tor.onion

From 3377a694e87232ee2f129da093daaccd0ade8ed1 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Fri, 9 Jul 2021 17:14:39 -0400
Subject: [PATCH 11/12] added 2021-channel ruleset for AJ IUnit

---
 default.rulesets.1625865001.gz             | Bin 0 -> 1827 bytes
 index.html                                 |   4 ++--
 latest-rulesets-timestamp                  |   2 +-
 rulesets-signature.1625865001.sha256       | Bin 0 -> 512 bytes
 rulesets/al-jazeera-securedrop-ruleset.xml |   5 +++++
 5 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 default.rulesets.1625865001.gz
 create mode 100644 rulesets-signature.1625865001.sha256
 create mode 100644 rulesets/al-jazeera-securedrop-ruleset.xml

diff --git a/default.rulesets.1625865001.gz b/default.rulesets.1625865001.gz
new file mode 100644
index 0000000000000000000000000000000000000000..204fdb7007acbc8ef7afa420993dc6a693f8e186
GIT binary patch
literal 1827
zcmV+;2i*7{iwFP!000001D%&$kKMKrhX0DN*M_sEDADmvVH-{Cwocn@il8-IfTT!@
z62D1Flnnp(@~q?3IyrmR(9HtN;X8+qW;mSrSluM4Sxi{Fn-|ry7BtV>=Jxj4lj<fg
z&H^)(6~j%#DQVi<mXU_Em^`l;B+qU!#?9^bh;xYf^Y0=3{`t*GI4KrcibePS<Bh?(
zc(?)W?d^-|m!4H`FdbQ_{yE{0SWxTDlbeKtVCm+?`}=KABcoGbU9j$Hvf-&U(wdtO
zPwpL;O&@P~u)6sCZ=aHTA3yx*#dqI5EG+JA*?iht_R+On288CY_H^xAVH?!;d8NY!
zm#i#|&CKRbnsKRd(94$AX0Y4Z{pRe`hfhy_XL|YS_3rSP(5HAhbo^`5JwWF%+;E>H
zrIv8t1g$k;3+d7-H$xO^`U%t{lr>t>%B_u|N7`Qo;E5S$WBFUXyxX(<-*gP<G5ww@
z$#vv&UvdnHo=u4x)~(U>A-il#5aKraHCSa==9Vq%ESW(_K15~9hrnGSIYaugeiZ4t
zevg!OT?+=s$&HO|Tjn$EK!Ds+r<^AslCGP0vjMX}0fvxSgVgi@lB)iKH^u_4-my;N
z>L->K8^%4~ASWXavR%{exrQ;}8Z3>N$JUj^;>*w?7wuqEt$<vtC*2(8b&(Ajr;amh
zI{#3p9Hu?nQ`|2dgSaByGuW|1QzCeTwbICAnM1qID7JvrK=(!rk-NcwmW|4e-g40*
z)LyOvuSy-Wruva7rLozukb9H(Y&nGV4IcJnrIsz)%-z;-pc>(qfm1egPGMyFp>8_U
zP~NE4vw0v0EjSv3>&xZgm9n<fmLN*HEpbow#dM77y80|uqFZpVIC$vVV7LLjf;7yk
zTf?+cAOM7Q<5SjMotB=>0(H?}&bL2DcPe$JV<EDAtk}tf58+&so|U<1=cODs5`yJM
zYn_+L2SX^Fq*isVr%4*^RO+L4(s!;`Xl^d&-48YpwvP(GUpmBaO?noO77qfjR+eBa
zjg`Hh<_@wJCYy;eeG9N1EyPj_T*|`2c&XzIKgb}vuEgZ7{G7aib8n5GjfcS=cd|$1
z0yNya33Mhq0CTJdMHO3N?|?M1cN-fa^flea-q#!F){mgQoN}j@=SO7;t4bZL-eIYB
zjHzehWGzNrY=;oP$;Y0s^bnISi8YmbGz8mc??4y^teP=cC>Zd-%WblTgJB|LPeTik
zxE#cL!qUx^cgg&L?YH&ATvzpH53YldVj&}hXsneZa9Milr%~pX3U5a;tr5UkXH7PZ
zJrKi8!R5>KX5#!GrF+@&^kwnX(j0=hF5Z(kw*aRT7I__|VY!_qvX;A~bqZ9pYwG%z
zl#pQI!IDi_7`6rdBFWp5_%cn2Rplm}x^7ec#YxVry0cVbRozi}YV#|cN^c(K^1-Wr
znPLx7rhRuVeT+~0&wCDigvTB1KSVRq6?-gZQyL0v(At=^1?Hmxx|9~Lbg~w<ewcux
zNs)2ewv;cwW~VfLYs$z$nM>z+D!&+xCh8*&&NDT4)6g^-3;-$M*EE4dSz5=HXEG4X
zrKxji;n$_>HrJ0NboFpKQ{S4o%x_X)%AV3~AFi)VhobeEeow`~II^q|%Uc@+;^mpP
zJdK#yL8C>HrD;)lEI=Y*P%_71u&dcFXRZAC@Bex8x3if<2D|kNAA1L`i}xh8NS3M~
zQQzi}N?CNAZIp!pcAnRK;bT4MKJ*)CWaCyB^adZQj-_>~{#{!2>X*}?z2h<K{qTJV
z=c@KBE<-)ekdbK;R8LE$DL0a$E%&GnCMO7@m38V2n*aq&H%%(V>hdM}>F2-h5yE)v
z_z&sM?thK8L``x;M>k-oN0(JsDj|if_9{jb@u<AvOD&9YLn9O&#N~(h4x8$SfDM(A
z+Uj*5%AWG5?{FfgU)B#{J*wa1kp_s-;8DcYd*&f(t!&Jymv+T&ja&*?ikw)SlTB$y
zMu@kT<jZ+>ml(&UjE3*<6yzp%T>A6cA*QR^v(Yd|0`08vJgjwS;c39?aa-p_2wt0w
z*Rvew2<iavtebLy$}^lEDA$bkuft?$zpvG0ncgoStJIIk_dK&xSuuncv(EF}O>@h#
zSwbcpiY@j?&4_0k4Of6s*^Mbt!s!D%wj@TfrP0M<PxRRk%gQmN$Mk!qb*KpnLYJFj
zDIxO~7EUbe+5upUQol?tV7U4+9(MrE^_;1jAGlJdC-qkxduhaJ1pY(AwES*6+%|oS
zi?g6{qqD;;x3J8;tFKqXd@q!mN}H6yMAe+fHF2li=$a4}YGi0G2kqBh#-v!8R~Htl
zm$KXAeQm|^SWEP6PWFhS6(n=GM!W*Q*-Z<C18n5r^#JA^7LVcNHt&H%(GO^u(L%eg
R5kFL){s(<HOO*T-004HGu<HN-

literal 0
HcmV?d00001

diff --git a/index.html b/index.html
index 615dd51..a67d032 100644
--- a/index.html
+++ b/index.html
@@ -1,5 +1,5 @@
 <html>
-    <a href='rulesets-signature.1625068418.sha256'>rulesets-signature.1625068418.sha256</a><br>
+    <a href='rulesets-signature.1625865001.sha256'>rulesets-signature.1625865001.sha256</a><br>
     <a href='latest-rulesets-timestamp'>latest-rulesets-timestamp</a><br>
-    <a href='default.rulesets.1625068418.gz'>default.rulesets.1625068418.gz</a><br>
+    <a href='default.rulesets.1625865001.gz'>default.rulesets.1625865001.gz</a><br>
 </html>
diff --git a/latest-rulesets-timestamp b/latest-rulesets-timestamp
index f7a7f10..74eed20 100644
--- a/latest-rulesets-timestamp
+++ b/latest-rulesets-timestamp
@@ -1 +1 @@
-1625068418
+1625865001
diff --git a/rulesets-signature.1625865001.sha256 b/rulesets-signature.1625865001.sha256
new file mode 100644
index 0000000000000000000000000000000000000000..173fca923723d0a42a6603951a8fdb9783c4aecc
GIT binary patch
literal 512
zcmV+b0{{JnKO(&9b5Elj>q+udYW(W0lv2DQkne=N4AU!;)_#O}WQkPrsEQAC0W(<#
z3A{jPDhMd@Q=~|OYOiM%!)jG|E9$A$mr6KsaXj_FeJ#^(=7BVDlZ+uW6Bay$X6VJi
zV*;G^B($I(>*n_zQ0o)10WElkV$vvMlIdw^J;&Nq<dpKUAtLPs5?`$2k%N-Z2LUxd
zaiyEiGp~P}Miv74UID>&nk)dSv_ECv^>tmW>_=Al;CWeJVujp0tmfNbP9dq;v+hcR
zGxr}7b2DTMpFTk)p+v>8cIobGyh_2~+F-L2cDkAMW`93B3TtD?f4`U~%{^ZcCf3Bq
zcj)=@X)beOmS#iWjOZ>hF;Sz@oth8uR+<8Va$ZwPbJ2sTG4Xz32~`-QP?{M!kIiEt
zoM!z{jAj|i2E4eA&`m@OBU))p#km_gw+P@1XQPzZ0vvXmP>0lcV5&&dAaa9rQFdsK
zr?+imXHe=w3wetOO$CxIrl6?P!r<$86~WtqKi!R<SU63)o7z71u3{RM+f@1xpwI+<
zU|GhXY_cs=z6G)3YCre3Hg*9Zu1t|fF_T<XdpUDkzfBc%FG4{!eDp1)_Q?of3XG{Q
zwNb-f;!*dDI&Bx>MX>OiVMvf<0Qg%2A{ZH30%t$X`O#m<Ll9$7{^T+3p!3T_X9UK^
C@%2ss

literal 0
HcmV?d00001

diff --git a/rulesets/al-jazeera-securedrop-ruleset.xml b/rulesets/al-jazeera-securedrop-ruleset.xml
new file mode 100644
index 0000000..a3f34ca
--- /dev/null
+++ b/rulesets/al-jazeera-securedrop-ruleset.xml
@@ -0,0 +1,5 @@
+<ruleset name="Al Jazeera Media Network">
+	<target host="ajiunit.securedrop.tor.onion" />
+	<rule from="^http[s]?://ajiunit.securedrop.tor.onion"
+    to="http://jkta32w5gvk6pmqdfwj67psojot3l2iwoqbdvrvywi5bkudfeandq7id.onion" />
+</ruleset>

From 304736abb6bf05cbf5bddc7be522c101aeba2573 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 19 Aug 2021 10:57:05 -0400
Subject: [PATCH 12/12] Update nginx image

Bumps tag to latest in the "mainline-alpine". Hadn't been updated in a
while. Clarifies comment in nginx config, preserving the new route
logic.
---
 docker/Dockerfile | 4 ++--
 docker/nginx.conf | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index d9de044..78a8069 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,5 +1,5 @@
-# sha256 as of 2020-09-25 for mainline-alpine
-FROM nginx@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c
+# sha256 as of 2021-08-18 for nginx:mainline-alpine
+FROM nginx:mainline-alpine@sha256:bead42240255ae1485653a956ef41c9e458eb077fcb6dc664cbc3aa9701a05ce
 
 COPY docker/nginx.conf /etc/nginx
 RUN mkdir -p /opt/nginx && chown nginx:nginx /opt/nginx
diff --git a/docker/nginx.conf b/docker/nginx.conf
index c5ca389..6213e6a 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -22,8 +22,7 @@ http {
         location / {
             root /opt/nginx/root;
             index index.html;
-            # This line has been adjusted for the temporary different external URL.
-            # Don't include this change in the main branch.
+            # Catch all relevant URLs and redirect to most recent, i.e. "2021" route
             rewrite ^/https-everywhere($|//+)(.*) /https-everywhere-2021/$2 permanent;
         }
     }