From 1799e4c4f7665d8005c1b765f1126f704c46a3b5 Mon Sep 17 00:00:00 2001
From: Loic Dachary <loic@dachary.org>
Date: Mon, 4 Dec 2017 19:49:57 +0100
Subject: [PATCH 01/51] l10n: sync ar de_DE es_ES fr_FR nb_NO nl pt_BR
 translations

These are official translations to release with 0.5. The reviewers
are:

* ar: https://weblate.securedrop.club/user/Thalia (localizationlab),
      https://weblate.securedrop.club/user/ramyraoof (localizationlab)
* de_DE: https://weblate.securedrop.club/user/Atalanttore (localizationlab)
* es_ES: https://weblate.securedrop.club/user/freddymartinez9 (FPF)
* fr_FR: https://weblate.securedrop.club/user/french.coordinator (localizationlab)
* nb_NO: https://weblate.securedrop.club/user/kingu (localizationlab)
* nl: https://weblate.securedrop.club/user/AnneM (localizationlab),
  https://weblate.securedrop.club/user/kwadronaut (localizationlab)
* pt_BR: https://weblate.securedrop.club/user/communiaa (localizationlab)

See docs/development/i18n.rst for more information on how these files
are updated.
---
 .../roles/tails-config/templates/de_DE.po     |  18 +-
 .../templates/desktop-journalist-icon.j2      |   4 +-
 .../templates/desktop-source-icon.j2          |   4 +-
 .../roles/tails-config/templates/es_ES.po     |   8 +-
 .../roles/tails-config/templates/nl.po        |  16 +-
 .../translations/ar/LC_MESSAGES/messages.po   | 306 +++++++++---------
 .../de_DE/LC_MESSAGES/messages.po             |  17 +-
 .../es_ES/LC_MESSAGES/messages.po             | 250 +++++++-------
 .../fr_FR/LC_MESSAGES/messages.po             |  21 +-
 securedrop/translations/messages.pot          |  10 +-
 .../nb_NO/LC_MESSAGES/messages.po             |  17 +-
 .../translations/nl/LC_MESSAGES/messages.po   |  17 +-
 .../pt_BR/LC_MESSAGES/messages.po             | 297 ++++++++---------
 13 files changed, 504 insertions(+), 481 deletions(-)

diff --git a/install_files/ansible-base/roles/tails-config/templates/de_DE.po b/install_files/ansible-base/roles/tails-config/templates/de_DE.po
index 3b4a7ab0651..50102e17920 100644
--- a/install_files/ansible-base/roles/tails-config/templates/de_DE.po
+++ b/install_files/ansible-base/roles/tails-config/templates/de_DE.po
@@ -7,19 +7,21 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: Automatically generated\n"
-"Language-Team: none\n"
-"Language: de\n"
+"PO-Revision-Date: 2017-12-01 13:53+0000\n"
+"Last-Translator: kwadronaut <kwadronaut@autistici.org>\n"
+"Language-Team: German "
+"<https://weblate.securedrop.club/projects/securedrop/desktop/de/>\n"
+"Language: de_DE\n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=ASCII\n"
+"Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 2.17.1\n"
 
 #: desktop-journalist-icon.j2.in:9
 msgid "SecureDrop Journalist Interface"
-msgstr ""
+msgstr "Journalistenschnittstelle für SecureDrop"
 
 #: desktop-source-icon.j2.in:9
 msgid "SecureDrop Source Interface"
-msgstr ""
+msgstr "Quellenschnittstelle für SecureDrop"
diff --git a/install_files/ansible-base/roles/tails-config/templates/desktop-journalist-icon.j2 b/install_files/ansible-base/roles/tails-config/templates/desktop-journalist-icon.j2
index bbf7528b837..e52c5fb977b 100644
--- a/install_files/ansible-base/roles/tails-config/templates/desktop-journalist-icon.j2
+++ b/install_files/ansible-base/roles/tails-config/templates/desktop-journalist-icon.j2
@@ -5,9 +5,11 @@ Version=1.0
 Type=Application
 Terminal=false
 Categories=Network;
-Name[es_ES]=Interfaz del periodista de SecureDrop
+Name[de_DE]=Journalistenschnittstelle für SecureDrop
+Name[es_ES]=Interfaz de Periodista de SecureDrop
 Name[fr]=SecureDrop - Interface des journalistes
 Name[nb_NO]=Journalistgrensesnitt for SecureDrop
+Name[nl]=SecureDrop - interface voor journalisten
 Name=SecureDrop Journalist Interface
 Icon={{ tails_config_securedrop_dotfiles }}/securedrop_icon.png
 Exec=/usr/local/bin/tor-browser {{ item.0.onion_url }}
diff --git a/install_files/ansible-base/roles/tails-config/templates/desktop-source-icon.j2 b/install_files/ansible-base/roles/tails-config/templates/desktop-source-icon.j2
index e6204a4f760..bf69984b16d 100644
--- a/install_files/ansible-base/roles/tails-config/templates/desktop-source-icon.j2
+++ b/install_files/ansible-base/roles/tails-config/templates/desktop-source-icon.j2
@@ -5,8 +5,10 @@ Version=1.0
 Type=Application
 Terminal=false
 Categories=Network;
-Name[es_ES]=Interfaz de la Fuente de SecureDrop
+Name[de_DE]=Quellenschnittstelle für SecureDrop
+Name[es_ES]=Interfaz de Fuente de SecureDrop
 Name[fr]=SecureDrop - Interface des sources
+Name[nl]=Securedrop - interface voor bronnen
 Name=SecureDrop Source Interface
 Icon={{ tails_config_securedrop_dotfiles }}/securedrop_icon.png
 Exec=/usr/local/bin/tor-browser {{ item.0.onion_url }}
diff --git a/install_files/ansible-base/roles/tails-config/templates/es_ES.po b/install_files/ansible-base/roles/tails-config/templates/es_ES.po
index 5e9e6f9c57c..5eda449f413 100644
--- a/install_files/ansible-base/roles/tails-config/templates/es_ES.po
+++ b/install_files/ansible-base/roles/tails-config/templates/es_ES.po
@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"PO-Revision-Date: 2017-11-29 08:29+0000\n"
-"Last-Translator: Daniel Arauz <danarauz@gmail.com>\n"
+"PO-Revision-Date: 2017-12-02 17:00+0000\n"
+"Last-Translator: Anatoli <djanatoli@gmail.com>\n"
 "Language-Team: Spanish "
 "<https://weblate.securedrop.club/projects/securedrop/desktop/es/>\n"
 "Language: es_ES\n"
@@ -20,8 +20,8 @@ msgstr ""
 
 #: desktop-journalist-icon.j2.in:9
 msgid "SecureDrop Journalist Interface"
-msgstr "Interfaz del periodista de SecureDrop"
+msgstr "Interfaz de Periodista de SecureDrop"
 
 #: desktop-source-icon.j2.in:9
 msgid "SecureDrop Source Interface"
-msgstr "Interfaz de la Fuente de SecureDrop"
+msgstr "Interfaz de Fuente de SecureDrop"
diff --git a/install_files/ansible-base/roles/tails-config/templates/nl.po b/install_files/ansible-base/roles/tails-config/templates/nl.po
index 717b35aca48..691fd8c41b6 100644
--- a/install_files/ansible-base/roles/tails-config/templates/nl.po
+++ b/install_files/ansible-base/roles/tails-config/templates/nl.po
@@ -7,19 +7,21 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: Automatically generated\n"
-"Language-Team: none\n"
+"PO-Revision-Date: 2017-12-01 13:48+0000\n"
+"Last-Translator: kwadronaut <kwadronaut@autistici.org>\n"
+"Language-Team: Dutch "
+"<https://weblate.securedrop.club/projects/securedrop/desktop/nl/>\n"
 "Language: nl\n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=ASCII\n"
+"Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 2.17.1\n"
 
 #: desktop-journalist-icon.j2.in:9
 msgid "SecureDrop Journalist Interface"
-msgstr ""
+msgstr "SecureDrop - interface voor journalisten"
 
 #: desktop-source-icon.j2.in:9
 msgid "SecureDrop Source Interface"
-msgstr ""
+msgstr "Securedrop - interface voor bronnen"
diff --git a/securedrop/translations/ar/LC_MESSAGES/messages.po b/securedrop/translations/ar/LC_MESSAGES/messages.po
index 9fd659e6e87..1a0d3d23fe2 100644
--- a/securedrop/translations/ar/LC_MESSAGES/messages.po
+++ b/securedrop/translations/ar/LC_MESSAGES/messages.po
@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: SecureDrop 0.3.12\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-29 12:00+0000\n"
-"Last-Translator: anonymous <noreply@weblate.org>\n"
+"PO-Revision-Date: 2017-12-03 21:00+0000\n"
+"Last-Translator: ramyraoof <ramy.raoof@gmail.com>\n"
 "Language-Team: Arabic "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/ar/>\n"
 "Language: ar\n"
@@ -27,67 +27,68 @@ msgstr "{time} مضى"
 
 #: journalist_app/__init__.py:34 journalist_app/__init__.py:66
 msgid "You have been logged out due to inactivity"
-msgstr "لقد تم تسجيل خروجك بسبب عدم تفاعلك"
+msgstr "تم تسجيل الخروج بسبب خمول النشاط"
 
 #: journalist_app/account.py:26
 msgid "Incorrect password or two-factor code."
-msgstr "إن كلمة السر هذه أو رمز التوثيق هذا غير صحيح."
+msgstr "كلمة السر أو رمز التحقق بخطوتين غير صحيح"
 
 #: journalist_app/account.py:39
 msgid "Token in two-factor authentication verified."
-msgstr "تم التحقق من رمز التوثيق الثنائي."
+msgstr "تم تصديق رمز التحقق بخطوتين."
 
 #: journalist_app/account.py:43 journalist_app/admin.py:91
 msgid "Could not verify token in two-factor authentication."
-msgstr "تعذّر التحقق من رمز التوثيق الثنائي."
+msgstr "تعذّر التثبت من رمز التحقق بخطوتين."
 
 #: journalist_app/admin.py:47
 msgid ""
 "There was an error with the autogenerated password. User not created. Please "
 "try again."
 msgstr ""
-"حصل خطأ  عند التوليد التلقائي  لكلمة السر. لذا لم يتم إنشاء حساب للمستخدم. "
-"الرجاء المحاولة مرة أخرى."
+"تعذر إنشاء حساب مستخدم بسبب وقوع خطأ أثناء توليد كلمة السر. رجاء المحاولة "
+"مرة أخرى."
 
 #: journalist_app/admin.py:58
 msgid "That username is already in use"
-msgstr "إن اسم المستخدم هذا مأخوذ"
+msgstr "اسم المستخدم غير متوفر"
 
 #: journalist_app/admin.py:61
 msgid ""
 "An error occurred saving this user to the database. Please inform your "
 "administrator."
 msgstr ""
-"لقد حدث خطأ أثناء تسجيل المستخدم في قاعدة البيانات. من فضلك قم بتبليغ "
-"المسؤول التقني."
+"لقد وقع خطأ أثناء عملية تسجيل المستخدم بقاعدة البيانات. رجاء إبلاغ المدير "
+"التقني."
 
 #: journalist_app/admin.py:84
 msgid "Token in two-factor authentication accepted for user {user}."
-msgstr "تمّ قبول رمز التوثيق الثنائي للمستخدم {user}."
+msgstr "تمّ قبول رمز التحقق بخطوتين للمستخدم {user}."
 
 #: journalist_app/admin.py:118
 msgid "Invalid secret format: please only submit letters A-F and numbers 0-9."
 msgstr ""
-"البيانات السرية غير صحيحة:  من فضلك استخدم فقط الأحرف من A-F والأرقام من 9-0."
+"صيغة البيانات السرية غير صحيحة:  رجاء استخدام الأحرف من A-F والأرقام من 9-0 "
+"فقط."
 
 #: journalist_app/admin.py:123
 msgid "Invalid secret format: odd-length secret. Did you mistype the secret?"
 msgstr ""
-"إن البيانات السرية غير صحيحة: فعدد الأحرف فردية.هل أخطأت في كتابة كلمة السر "
-"(البيانات السرية)؟"
+"صيغة البيانات السرية غير صحيحة: طول العبارة السرية يجب أن يكون عدد زوجي وليس "
+"فردي. رجاء ضبط الصيغة"
 
 #: journalist_app/admin.py:128 journalist_app/main.py:107
 #: journalist_app/utils.py:38
 msgid "An unexpected error occurred! Please inform your administrator."
-msgstr "لقد حدث خطأ غير متوقع. الرجاء مراجعة إبلاغ المسؤول."
+msgstr "لقد وقع خطأ غير متوقع. رجاء إبلاغ المسئول التقني."
 
 #: journalist_app/admin.py:161
 msgid "Username \"{user}\" already taken."
-msgstr "إن اسم المستخدم {user} مأخوذ."
+msgstr "تم تخصيص اسم {user} لمستخدم آخر."
 
 #: journalist_app/admin.py:197
 msgid "Deleted user '{user}'"
-msgstr "لقد تم حذف حساب المستخدم '{user}'"
+msgstr "تم حذف حساب المستخدم '{user}'"
 
 #: journalist_app/col.py:47
 msgid "{source_name}'s collection deleted"
@@ -99,28 +100,25 @@ msgstr "لم يتم تحديد أي مجموعة."
 
 #: journalist_app/decorators.py:16
 msgid "Only administrators can access this page."
-msgstr "يحق فقط لمسؤولي الصفحة الدخول إليها."
+msgstr "النفاذ للصفحة متاح للمسؤولين فقط."
 
 #: journalist_app/forms.py:17
 msgid "Field must be 40 characters long but got {num_chars}."
-msgstr ""
-"يجب أن يتضمن هذا الحقل أو هذه الخانة 40 حرفاً ولكنه عوضاً عن ذلك مكوّن من "
-"{num_chars}."
+msgstr "يجب أن يتضمن هذا الحقل 40 رمزا ولكنه مكوّن من {num_chars}."
 
 #: journalist_app/forms.py:28
 msgid ""
 "Field must be at least {min_chars} characters long but only got {num_chars}."
 msgstr ""
-"يجب أن يتضمن هذا الحقل أو هذه الخانة 40 حرفاً كحدّ أدنى، ولكنه عوضاً عن ذلك "
-"مكوّن من {num_chars}."
+"يجب أن يكون الحقل مكون من {min_chars} على الأقل وحاليا مشكل من {num_chars}."
 
 #: journalist_app/forms.py:33 source_app/forms.py:11
 msgid "This field is required."
-msgstr "إن هذه الخانة إلزامية."
+msgstr "هذا الحقل إلزامي."
 
 #: journalist_app/forms.py:50
 msgid "You cannot send an empty reply."
-msgstr "لا يمكنك إرسال رد فارغ."
+msgstr "لا يمكن إرسال رد فارغ."
 
 #: journalist_app/main.py:118
 msgid "Thanks. Your reply has been stored."
@@ -154,27 +152,21 @@ msgstr "فشل تسجيل الدخول."
 msgid "Please wait at least {seconds} second before logging in again."
 msgid_plural "Please wait at least {seconds} seconds before logging in again."
 msgstr[0] ""
-"الرجاء الإنتظار لمدة {seconds} ثانية على الاقل قبل محاولة تسجيل الدخول مرة "
-"أخرى."
+"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 msgstr[1] ""
-"الرجاء الإنتظار لمدة {seconds} ثانية واحدة على الاقل قبل محاولة تسجيل الدخول "
-"مرة أخرى."
+"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 msgstr[2] ""
-"الرجاء الإنتظار لمدة {seconds} ثانيتين على الاقل قبل محاولة تسجيل الدخول مرة "
-"أخرى."
+"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 msgstr[3] ""
-"الرجاء الإنتظار لبعض {seconds} ثواني على الاقل قبل محاولة تسجيل الدخول مرة "
-"أخرى."
+"رجاء الانتظار {seconds} ثوان على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 msgstr[4] ""
-"الرجاء الإنتظار لمدة {seconds} ثواني عديدة على الاقل قبل محاولة تسجيل الدخول "
-"مرة أخرى."
+"رجاء الانتظار {seconds} ثواني على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 msgstr[5] ""
-"الرجاء الإنتظار لمدة {seconds} ثواني على الاقل قبل محاولة تسجيل الدخول مرة "
-"أخرى."
+"رجاء الانتظار {seconds} ثواني على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
 
 #: journalist_app/utils.py:95
 msgid "Please wait for a new two-factor token before trying again."
-msgstr "الرجاء انتظار ظهور رمز توثيق ثنائي جديد قبل إعادة المحاولة."
+msgstr "الرجاء انتظار رمز تحقق بخطوتين جديد قبل إعادة المحاولة."
 
 #: journalist_app/utils.py:140
 msgid "Submission deleted."
@@ -198,7 +190,7 @@ msgstr[5] "حذف المزيد من المجموعات {num}"
 
 #: journalist_app/utils.py:228
 msgid "You submitted a bad password! Password not changed."
-msgstr "لقد أدخلت كلمة سر غير صحيحة! لذا لم يتم تغيير كلمة السر."
+msgstr "كلمة سر غير صحيحة! وبالتالي لم تتغير."
 
 #: journalist_app/utils.py:235
 msgid ""
@@ -206,27 +198,29 @@ msgid ""
 "correctly. To prevent you from getting locked out of your account, you "
 "should reset your password again."
 msgstr ""
-"هناك خطأ, ربما لم يتم حفظ كلمة السر الجديدة بالشكل الصحيح. لتجنب إقفال "
-"حسابك، يجب عليك إعادة ضبط كلمة السر."
+"لم يتم حفظ كلمة السر الجديدة بشكل صحيح بسبب وقوع خطأ. ينبغي عليك إعادة ضبط "
+"كلمة السر مرة أخرى لتجنب فقدان النفاذ لحسابك."
 
 #: journalist_app/utils.py:244
 msgid ""
 "Password updated. Don't forget to save it in your KeePassX database. New "
 "password:"
 msgstr ""
-"لقد تم تحديث كلمة السر. لا تنس تحفيظها في قاعدة بيانات  KeePassX الخاصة بك. "
-"كلمة السر الجديدة:"
+"تم تحديث كلمة السر. رجاء إدراجها في قاعدة بيانات KeePassX الخاصة بك . كلمة "
+"السر الجديدة:"
 
 #: journalist_app/utils.py:261
 msgid "No unread submissions in selected collections."
 msgstr "لا توجد رسائل غير مقروءة في المجموعات المختارة."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
+#, fuzzy
+#| msgid "docs {doc_num}"
+msgid "{doc_num} docs"
 msgstr "{doc_num} مستندات"
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
+msgid "{msg_num} messages"
 msgstr "{msg_num} رسائل"
 
 #: journalist_templates/_source_row.html:23
@@ -236,7 +230,7 @@ msgstr "{num_unread} غير مقروء"
 #: journalist_templates/account_edit_hotp_secret.html:6
 #: journalist_templates/admin_edit_hotp_secret.html:7
 msgid "Change Secret"
-msgstr "قم بتغيير البيانات السرية"
+msgstr "تغيير البيان السري"
 
 #: journalist_templates/account_edit_hotp_secret.html:7
 #: journalist_templates/admin_add_user.html:33
@@ -248,7 +242,7 @@ msgstr "نظام HOTP أو الكلمة السرية لمرة واحدة"
 #: journalist_templates/admin_edit_hotp_secret.html:10
 #: source_templates/login.html:23
 msgid "CONTINUE"
-msgstr "تابع"
+msgstr "المتابعة"
 
 #: journalist_templates/account_new_two_factor.html:4
 #: journalist_templates/admin_new_user_two_factor.html:5
@@ -262,10 +256,9 @@ msgid ""
 "added the entry for your account in the app, enter one of the 6-digit codes "
 "from the app to confirm that two factor authentication is set up correctly."
 msgstr ""
-"أنت على وشك الإنتهاء! لإنهاء إعادة ضبط التوثيق الثنائي, اتبع التعليمات أدناه "
-"لضبط و تكوين Google Authenticator.  ما أن تضيف وتسجّل حسابك في التطبيق, أدخل "
-"إحدى الرموز المكونة من 6 أرقام للتأكد من أنه تم تنصيب التوثيق الثنائي بالشكل "
-"الصحيح."
+"أنت على وشك الانتهاء! لإتمام إعادة ضبط التحقق بخطوتين اتبع التعليمات أدناه "
+"لإعداد Google Authenticator.  بعد إضافة حسابك في التطبيق قم بإدخال إحدى "
+"الرموز المكونة من 6 أرقام للتأكد من أنه سلامة الإعداد."
 
 #: journalist_templates/account_new_two_factor.html:8
 #: journalist_templates/admin_new_user_two_factor.html:9
@@ -281,28 +274,26 @@ msgstr "افتح تطبيق Google Authenticator"
 #: journalist_templates/admin_new_user_two_factor.html:11
 msgid "Tap menu, then tap \"Set up account\", then tap \"Scan a barcode\""
 msgstr ""
-"اضغط على على لائحة الخيارات, ثم على \"اعداد (إنشاء) الحساب\" , ثم على \" "
-"تصوير الرمز الشريطي\""
+"اضغط على على علامة الزائد لإضافة حساب جديد، ثم اختر \"مسح رمز شريطي ضوئيًا\""
 
 #: journalist_templates/account_new_two_factor.html:11
 #: journalist_templates/admin_new_user_two_factor.html:12
 msgid ""
 "Your phone will now be in \"scanning\" mode. When you are in this mode, scan "
 "the barcode below:"
-msgstr "ان هاتفك في وضعية \"المسح الضوئي\". الآن, قم بمسح الرمز الشريطي أدناه:"
+msgstr ""
+"الهاتف الآن سيصبح في في وضعية \"المسح الضوئي\". قم الآن بمسح الرمز التالي:"
 
 #: journalist_templates/account_new_two_factor.html:14
 #: journalist_templates/admin_new_user_two_factor.html:15
 msgid "Can't scan the barcode? Enter the following code manually:"
 msgstr ""
-"لم تتمكن من مسح الرمز الشريطي عن طريق السكانر؟ قم بإدخال الرمز الآتي يدويا:"
+"لم تتمكن من مسح الرمز  عن طريق المسح الضوئي؟ قم بإدخال الرمز التالي يدويا:"
 
 #: journalist_templates/account_new_two_factor.html:15
 #: journalist_templates/admin_new_user_two_factor.html:18
 msgid "Once you have scanned the barcode, enter the 6-digit code below:"
-msgstr ""
-"ما أن تمسح  الرمز الشريطي عن طريق السكانر, قم فوراً بإدخال الرموز المكونة من "
-"6 أرقام أدناه:"
+msgstr "بعد انتهاء خطوة المسح الضوئي، قم بإدخال الرمز المكون من 6 أرقام:"
 
 #: journalist_templates/account_new_two_factor.html:17
 #: journalist_templates/admin_new_user_two_factor.html:20
@@ -313,8 +304,8 @@ msgstr "قم بتفعيل (YubiKey (OATH-HOTP"
 #: journalist_templates/admin_new_user_two_factor.html:21
 msgid "Once you have configured your YubiKey, enter the 6-digit code below:"
 msgstr ""
-"ما أن تكوّن وتخلق مفتاح الحماية الخاص بك \"YubiKey\", أدخل فوراً الرموز "
-"المكونة من 6 أرقام أدناه:"
+"بعد الانتهاء من ضبط مفتاح المصادقة الخاص بك \"YubiKey\"، أدخل الرمز المكون "
+"من 6 أرقام:"
 
 #: journalist_templates/account_new_two_factor.html:22
 #: journalist_templates/admin_new_user_two_factor.html:25
@@ -329,7 +320,7 @@ msgstr "إرسال"
 
 #: journalist_templates/admin.html:3
 msgid "Admin Interface"
-msgstr "واجهة المستخدم"
+msgstr "واجهة المسؤول"
 
 #: journalist_templates/admin.html:6
 #: journalist_templates/admin_add_user.html:39
@@ -344,7 +335,7 @@ msgstr "اسم المستخدم"
 
 #: journalist_templates/admin.html:17
 msgid "Edit"
-msgstr "تعديل"
+msgstr "تحرير"
 
 #: journalist_templates/admin.html:18 journalist_templates/index.html:15
 msgid "Delete"
@@ -352,7 +343,7 @@ msgstr "حذف"
 
 #: journalist_templates/admin.html:19
 msgid "Created"
-msgstr "مكوّن"
+msgstr "أُنُشِئْت"
 
 #: journalist_templates/admin.html:20
 msgid "Last login"
@@ -377,16 +368,16 @@ msgstr "ما من مستخدمين لعرضهم"
 #: journalist_templates/admin_add_user.html:4
 #: journalist_templates/edit_account.html:7
 msgid "Back to admin interface"
-msgstr "الرجوع إلى واجهة المستخدم"
+msgstr "الرجوع إلى واجهة المسؤول"
 
 #: journalist_templates/admin_add_user.html:21
 msgid "The user's password will be:"
-msgstr "كلمة سر المستخدم ستكون:"
+msgstr "كلمة سر المستخدم:"
 
 #: journalist_templates/admin_add_user.html:24
 #: journalist_templates/edit_account.html:17
 msgid "Is Administrator"
-msgstr "هو المسؤول"
+msgstr "تعيينه كمسئوول"
 
 #: journalist_templates/admin_add_user.html:32
 msgid "Is using a YubiKey [HOTP]"
@@ -400,12 +391,10 @@ msgid ""
 "them enter one of the 6-digit codes from the app to confirm that two factor "
 "authentication is set up correctly."
 msgstr ""
-"أنت على وشك الإنتهاء! لإنهاء عملية إضافة المستخدم الجديد، اطلب منهم أن "
-"يتبعوا التعليمات أدناه لتنصيب التوثيق الثنائي  بواسطة Google "
-"Authenticator. \n"
-" ما إن يضيفوا  معلومات حسابهم على هذا التطبيق، اطلب منهم إدخال إحدى الرموز "
-"المكونة من 6 أرقام من التطبيق للتأكد من أن التوثيق الثنائي تم  تنصيبه بالشكل "
-"الصحيح."
+"أنت على وشك الانتهاء! لإتمام عملية إضافة المستخدم الجديد اطلب منهم إتباع "
+"التعليمات أدناه لتنصيب التحقق بخطوتين  بواسطة Google Authenticator. \n"
+" وبعد إضافة معلومات الحساب في التطبيق اطلب منهم إدخال إحدى الرموز المكونة من "
+"6 أرقام للتأكد من سلامة الإعداد."
 
 #: journalist_templates/base.html:24
 msgid "Logged on as"
@@ -424,12 +413,12 @@ msgid ""
 "Powered by <br> <img src=\"/static/i/securedrop_small.png\" alt=\"SecureDrop"
 "\">"
 msgstr ""
-"مشغل من قبل <br> <img src=\"/static/i/securedrop_small.png\" alt=\"SecureDrop"
-"\">"
+"مدعم بواسطة <br> <img src=\"/static/i/securedrop_small.png\" alt=\""
+"SecureDrop\">"
 
 #: journalist_templates/base.html:54
 msgid "Powered by <em>SecureDrop {version}</em>."
-msgstr "مشغّل من قبل <em>SecureDrop {version} </em>."
+msgstr "مدعم بواسطة <em>SecureDrop {version} </em>."
 
 #: journalist_templates/col.html:10
 msgid "All Sources"
@@ -441,8 +430,8 @@ msgid ""
 "the first random codename is difficult to say or remember. You can generate "
 "new random codenames as many times as you like."
 msgstr ""
-"قم بإنشاء اسم رمزي عشوائي جديد لهذا المصدر. نوصي بهذا إذا كان الاسم الرمزي "
-"الاول من الصعب نطقه أو تذكره. يمكنك إنشاء اسماء رمزية جديدة  جديدة قدر ما "
+"قم بإنشاء اسم رمزي عشوائي جديد لهذا المصدر. ننصح بهذا في حالة صعوبة الاسم "
+"الحالي من ناحيةالنطق أو التذكر كما يمكنك إنشاء أسماء رمزية  جديدة بقدر ما "
 "تشاء."
 
 #: journalist_templates/col.html:13
@@ -451,7 +440,7 @@ msgstr "تغيير الاسم الرمزي"
 
 #: journalist_templates/col.html:14
 msgid "Are you sure you want to generate a new codename?"
-msgstr "هل أنت متأكد من أنك تريد انشاء اسم رمزي جديد؟"
+msgstr "هل أنت متأكد من إنشاء اسم رمزي جديد؟"
 
 #: journalist_templates/col.html:15 source_templates/lookup.html:72
 msgid "Cancel"
@@ -466,16 +455,16 @@ msgid ""
 "The documents are stored encrypted for security. To read them, you will need "
 "to decrypt them using GPG."
 msgstr ""
-"تم تخزين المستندات و تعميتها لغايات أمنية. إذا كنت تريد قراءتها, ستحتاج إلى  "
-"فك التعمية  وذلك بواسطة  نظام GPG."
+"تم حفظ المستندات و تعميتها لدواعي الحماية. سوف تحتاج إلى تظهيرها (ردها إلى "
+"صيغتها الأصلية) بواسطة GPG لقراءة المحتوى."
 
 #: journalist_templates/col.html:26
 msgid "Download Selected"
-msgstr "تنزيل الاختيار"
+msgstr "تنزيل المختار"
 
 #: journalist_templates/col.html:27
 msgid "Delete Selected"
-msgstr "حذف الاختيار"
+msgstr "حذف المختار"
 
 #: journalist_templates/col.html:55
 msgid "Uploaded Document"
@@ -483,7 +472,7 @@ msgstr "تم تحميل المستند"
 
 #: journalist_templates/col.html:57 journalist_templates/col.html:75
 msgid "Reply"
-msgstr "رد"
+msgstr "رَدّ"
 
 #: journalist_templates/col.html:59
 msgid "Message"
@@ -491,32 +480,32 @@ msgstr "رسالة"
 
 #: journalist_templates/col.html:70
 msgid "No documents to display."
-msgstr "ما من مستندات موجودة لعرضها."
+msgstr "ما من مستندات لعرضها."
 
 #: journalist_templates/col.html:77
 msgid ""
 "You can write a secure reply to the person who submitted these documents:"
-msgstr "يمكنك الرد كتابياً بشكل آمن على الشخص الذي أرسل هذه المستندات:"
+msgstr "يمكن إرسال رد على نحو آمن إلى الشخص الذي أرسل المستندات:"
 
 #: journalist_templates/col.html:86
 msgid "You've flagged this source for reply."
-msgstr "لقد علّمت أو أشرت بعلامة  لهذا المصدر للرد عليه."
+msgstr "قمت بوسم هذا المصدر للرد عليه."
 
 #: journalist_templates/col.html:87
 msgid ""
 "An encryption key will be generated for the source the next time they log "
 "in, after which you will be able to reply to the source here."
 msgstr ""
-"سيتم إنشاء مفتاح تعمية للمصدر  وذلك عندما يسجلّوا دخولهم  مرّة جديدة،  بعد هذه "
-"العملية، ستتمكن من الرد على المصدر هنا."
+"فور تسجيل دخول المصدر المرة التالية سوف يتم إنشاء مفتاح تعمية خاص به. وسوف "
+"تتمكن من الرد على المصدر هنا بعد تلك الخطوة."
 
 #: journalist_templates/col.html:89
 msgid "Click below if you would like to write a reply to this source."
-msgstr "انقر أدناه إن كنت تريد الرد على هذا المصدر."
+msgstr "انقر أدناه للرد على المصدر."
 
 #: journalist_templates/col.html:93
 msgid "FLAG THIS SOURCE FOR REPLY"
-msgstr "علّم هذا المصدر أو أشر بعلامة إليه، للرد عليه"
+msgstr "وسّم المصدر للرد عليه"
 
 #: journalist_templates/col.html:98
 msgid ""
@@ -524,9 +513,9 @@ msgid ""
 "the files seen here will be unrecoverable and the source will no longer be "
 "able to login using their previous codename.</em>"
 msgstr ""
-"انقر أدناه لحذف مجموعة هذا المصدر. <em> تنبيه: إذا قمت بذلك، فستكون هذه "
-"الملفات غير قابلة للاسترداد ولن يتمكن المصدر من تسجيل دخوله باستخدام اسمه "
-"الرمزي السابق.</em>"
+"انقر أدناه لحذف المجموعة الهاصة بهذا المصدر. <em> تحذير: بعد إجراء الحذف لا "
+"يمكن استرداد الملفات، ولن يتمكن المصدر من تسجيل الدخول باستخدام الاسم الرمزي "
+"السابق.</em>"
 
 #: journalist_templates/col.html:104
 msgid "DELETE COLLECTION"
@@ -545,7 +534,8 @@ msgstr[2] ""
 msgstr[3] "تم تحديد  بعض الملفات {files}  ل<strong>حذفها بشكل نهائي</strong>:"
 msgstr[4] ""
 "تم تحديد  العديد من الملفات {files}  ل<strong>حذفها بشكل نهائي</strong>:"
-msgstr[5] "تم تحديد {files} الملفات التالية ل<strong>حذفها بشكل نهائي</strong>:"
+msgstr[5] ""
+"تم تحديد {files} الملفات التالية ل<strong>حذفها بشكل نهائي</strong>:"
 
 #: journalist_templates/delete.html:20
 msgid "PERMANENTLY DELETE FILES"
@@ -553,7 +543,7 @@ msgstr "حذف الملفات بشكل دائم"
 
 #: journalist_templates/delete.html:23
 msgid "Return to the list of documents for {source_name}…"
-msgstr "الرجوع إلى قائمة المستندات ل {source_name} …"
+msgstr "العودة إلى قائمة المستندات الخاصة بـ {source_name}…"
 
 #: journalist_templates/edit_account.html:6
 msgid "Edit user \"{user}\""
@@ -561,7 +551,7 @@ msgstr "تعديل المستخدم \"{user}\""
 
 #: journalist_templates/edit_account.html:8
 msgid "Change Username &amp; Admin Status"
-msgstr "تغيير اسم المستخدم &amp; و وضع وصلاحيات المسؤول"
+msgstr "تغيير اسم المستخدم وحالة المسؤول"
 
 #: journalist_templates/edit_account.html:12
 msgid "Change username"
@@ -573,7 +563,7 @@ msgstr "تحديث"
 
 #: journalist_templates/edit_account.html:22
 msgid "Edit your account"
-msgstr "عدّل حسابك"
+msgstr "حرّر حسابك"
 
 #: journalist_templates/edit_account.html:25
 msgid "Reset Password"
@@ -581,19 +571,19 @@ msgstr "إعادة ضبط كلمة السر"
 
 #: journalist_templates/edit_account.html:27
 msgid "SecureDrop now uses automatically generated diceware passwords."
-msgstr "SecureDrop يستخدم الآن كلمات السر ديسوير \"diceware\" المولّدة تلقائيا."
+msgstr "يستخدم SecureDrop على نحو آلي طريقة دايسوير لتويد كلمات السر."
 
 #: journalist_templates/edit_account.html:28
 msgid ""
 "Your password will be changed immediately, so you will need to save it "
 "before pressing the \"Reset Password\" button."
 msgstr ""
-"سيتم تغيير كلمة السر الخاصة بك فورا, لذلك ستحتاج إلى حفظها قبل الضغط على زر "
-"\"إعادة ضبط كلمة السر\"."
+"سيتم تغيير كلمة السر فورا لذا عليك حفظها قبل الضغط على \"إعادة ضبط كلمة "
+"السر\"."
 
 #: journalist_templates/edit_account.html:34
 msgid "Please enter your current password and two-factor code."
-msgstr "من فضلك أكتب كلمة سرّك الحالية و رمز التوثيق الثنائي."
+msgstr "رجاء كتابة كلمة السر الحالية ورمز التحقق بخطوتين."
 
 #: journalist_templates/edit_account.html:40
 msgid "Current Password"
@@ -601,15 +591,15 @@ msgstr "كلمة السر الحالية"
 
 #: journalist_templates/edit_account.html:41 journalist_templates/login.html:10
 msgid "Two-factor Code"
-msgstr "رمز التوثيق الثنائي"
+msgstr "رمز التحقق بخطوتين"
 
 #: journalist_templates/edit_account.html:46
 msgid "The user's password will be changed to:"
-msgstr "ستتغير كلمة السر الخاصة بالمستخدم  إلى:"
+msgstr "تغيير كلمة سر المستخدم  إلى:"
 
 #: journalist_templates/edit_account.html:48
 msgid "Your password will be changed to:"
-msgstr "كلمة السر الخاصة بك ستتغير الى:"
+msgstr "كلمة السر الخاصة بك ستتغير إلى:"
 
 #: journalist_templates/edit_account.html:53
 msgid "RESET PASSWORD"
@@ -617,7 +607,7 @@ msgstr "إعادة ضبط كلمة السر"
 
 #: journalist_templates/edit_account.html:58
 msgid "Reset Two-Factor Authentication"
-msgstr "إعادة ضبط التوثيق الثنائي"
+msgstr "إعادة ضبط خاصية التحقق بخطوتين"
 
 #: journalist_templates/edit_account.html:61
 msgid ""
@@ -626,10 +616,9 @@ msgid ""
 "is present and ready to set up their device with the new two-factor "
 "credentials. Otherwise, they will be locked out of their account."
 msgstr ""
-"إذا فقد مستخدم  ما  المعلومات والبيانات المتعلّقة بالتوثيق الثنائي الخاص به "
-"ككلمة السر والأسم,  يمكنك استرجاعها هنا. <em> فإذا قمت بذلك, تأكد بأن "
-"المستخدم حاضر ومستعد لتفعيل أجهزته عن طريق بيانات التوثيق الثنائي الجديدة. "
-"والا سيحظرون من الدخول إلى حسابهم."
+"إذا فقد المستخدم البيانات الخاصة بالتحقق بخطوتين يمكن إعادة ضبطها من هنا. "
+"<em> في حالة القيام بذلك رجاء التأكد من وجود المستخدم والاستعداد لضبط خاصية "
+"التحقق بخطوتين الجديدة وإلا لن يمكن النفاذ إلى الحساب."
 
 #: journalist_templates/edit_account.html:63
 msgid ""
@@ -638,10 +627,9 @@ msgid ""
 "this, make sure you are ready to set up your new device, otherwise you will "
 "be locked out of your account.</em>"
 msgstr ""
-"إذا فقدت المعلومات والبيانات المتعلّقة بالتوثيق الثنائي الخاص بك ككلمة السر "
-"والأسم,, أو  إذا اقنيت  جهاز جديد، فيمكنك اعادة ضبط هذه البيانات اهنا.<em> "
-"فإذا قمت بذلك، تأكد بأنك جاهز لتفعيل جهازك الجديد, وإلا سيتم منعك من الدخول "
-"إلى حسابك.</em>"
+"إذا فقدت بياناتك الخاصة بالتحقق بخطوتين يمكن إعادة ضبطها من هنا. <em> في "
+"حالة القيام بذلك رجاء الاستعداد لضبط خاصية التحقق بخطوتين الجديدة وإلا لن "
+"تتمكن النفاذ إلى الحساب.<em>"
 
 #: journalist_templates/edit_account.html:65
 msgid ""
@@ -649,18 +637,18 @@ msgid ""
 "Authenticator or FreeOTP, choose the first option. For hardware tokens like "
 "the Yubikey, choose the second."
 msgstr ""
-"لإعادة ضبط التوثيق الثنائي مثل Google Authenticator أو FreeOTP على تطبيقات "
+"لإعادة ضبط التحقق بخطوتين مثل Google Authenticator أو FreeOTP على تطبيقات "
 "الهاتف المحمول،   اضغط على الخيار الاول. أما فيما يتعلّق بالتطبيقات الخاصة "
-"بالأجهزة أو ما يسمى بالعتاد الحاسوبي ك Yubikey,  فاضغط على الخيار الثاني."
+"بالأجهزة أو ما يسمى بالعتاد الحاسوبي ك Yubikey،  فاضغط على الخيار الثاني."
 
 #: journalist_templates/edit_account.html:85
 msgid "RESET TWO-FACTOR AUTHENTICATION (APP)"
-msgstr "إعادة ضبط التوثيق الثنائي (تطبيق)"
+msgstr "إعادة ضبط التحقق بخطوتين (تطبيق)"
 
 #: journalist_templates/edit_account.html:87
 msgid "RESET TWO-FACTOR AUTHENTICATION (HARDWARE TOKEN)"
 msgstr ""
-"إعادة ضبط التوثيق الثنائي ( برمجيات خاصة بالأجهزة الصلبة أو العتاد الحاسوبي)"
+"إعادة ضبط التحقق بخطوتين ( برمجيات خاصة بالأجهزة الصلبة أو العتاد الحاسوبي)"
 
 #: journalist_templates/flag.html:5
 msgid "Thanks!"
@@ -674,7 +662,7 @@ msgid ""
 "encrypted replies to them."
 msgstr ""
 "في المرة الثانية الني سيقوم المصدر فيها بتسجيل دخوله، سيولّد  SecureDrop، "
-"ويخلق مفتاح تشفير آمن لهذا المصدر. حالما يتم إنتاج المفتاح, سوف يظهر صندوق "
+"ويخلق مفتاح تشفير آمن لهذا المصدر. حالما يتم إنتاج المفتاح، سوف يظهر صندوق "
 "للرد تحت مجموعة المستندات الخاصة بهم. يمكنك استخدام  مربّع الحوار أو الصندوق "
 "الحوار هذا لكتابة ردود مشفرة لهم."
 
@@ -741,7 +729,7 @@ msgstr "هل أنت متأكد من أنك تريد حذف المستخدم {use
 #: journalist_templates/js-strings.html:11
 msgid ""
 "Are you sure you want to reset two-factor authentication for {username}?"
-msgstr "هل أنت متأكد من أنك تريد اعادة ضبط التوثيق الثنائي ل {username}؟"
+msgstr "هل أنت متأكد من أنك تريد اعادة ضبط التحقق بخطوتين ل {username}؟"
 
 #: journalist_templates/login.html:4
 msgid "Login to access the journalist interface"
@@ -805,7 +793,7 @@ msgstr "تم حذف جميع الردود"
 
 #: source_app/main.py:215
 msgid "Sorry, that is not a recognized codename."
-msgstr "عذراً, هذا الاسم الرمزي غير معترف به."
+msgstr "عذراً، هذا الاسم الرمزي غير معترف به."
 
 #: source_templates/base.html:6 source_templates/index.html:4
 msgid "Protecting Journalists and Sources"
@@ -835,7 +823,7 @@ msgstr "خطأ في الخادم"
 msgid ""
 "Sorry, the website encountered an error and was unable to complete your "
 "request."
-msgstr "نأسف, لقد واجه الموقع الإلكتروني خطأ ولم يتمكن من إكمال طلبك."
+msgstr "نأسف، لقد واجه الموقع الإلكتروني خطأ ولم يتمكن من إكمال طلبك."
 
 #: source_templates/error.html:7 source_templates/notfound.html:7
 msgid "Look up a codename..."
@@ -876,24 +864,25 @@ msgid ""
 " questions or are interested in additional documents. Unlike passwords, "
 "there is no way to retrieve a lost codename."
 msgstr ""
-"<strong> 1SecureDrop</strong> 2 لأننا لا نستخدم أي من الوسائل التقليدية "
-"لتتبع  مستخدمي سيكيور دروب SecureDrop, فاستخدام هذا الاسم في الزيارات "
-"المقبلة  لهو الطريقة الوحيدة  كي نتواصل معك في حال ساورتنا أي أسئلة أو في "
-"حال احتجنا إلى أي مستندات إضافيى.  بخلاف كلمات السر, فما منطريقة لاسترداد "
-"اسم رمزي مفقود."
+"لأننا لا نستخدم أي من الوسائل التقليدية لتتبع مستخدمي "
+"<strong>SecureDrop</strong>،\n"
+" فاستخدام هذا الاسم في الزيارات المقبلة لهو الطريقة الوحيدة كي نتواصل معك في "
+"حال ساورتنا\n"
+" أي أسئلة أو في حال احتجنا إلى أي مستندات إضافيى.  بخلاف كلمات السر، فما "
+"منطريقة لاسترداد اسم رمزي مفقود."
 
 #: source_templates/generate.html:36
 msgid ""
 "Please either write this codename down and keep it in a safe place, or "
 "memorize it."
 msgstr ""
-"من فضلك، ما  سجّل هذا الإسم الرمز واحفظه في مكان آمن, أو احفظه عن ظهر قلب."
+"من فضلك، ما  سجّل هذا الإسم الرمز واحفظه في مكان آمن، أو احفظه عن ظهر قلب."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "استخدم اسم رمزي جديد"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "استخدم اسم رمز موجود"
 
@@ -913,8 +902,8 @@ msgid ""
 "\"recommend-tor\" href=\"{tor_browser_url}\">Learn how to install it</a>, or "
 "ignore this warning to continue."
 msgstr ""
-"<strong>نحن نوصي بإستعمال Tor Browser للوصول لخدمة SecureDrop:</strong> <a "
-"id=\"recommend-tor\" href=\"{tor_browser_url}\">تعلم كيفية تنصيبه</a>, أو "
+"<strong>نحن نوصي بإستعمال Tor Browser للوصول لخدمة SecureDrop:</strong> <a id"
+"=\"recommend-tor\" href=\"{tor_browser_url}\">تعلم كيفية تنصيبه</a>، أو "
 "تجاهل هذا التحذير للمتابعة."
 
 #: source_templates/index.html:41
@@ -928,7 +917,7 @@ msgstr "هل سبق و أرسلت شيئا؟"
 #: source_templates/index.html:54
 msgid ""
 "If this is your first time submitting documents to journalists, start here."
-msgstr "إذا كانت هذه هي المرة الأولى التي ترسل فيها وثائق لصحفيين, ابدأ هنا."
+msgstr "إذا كانت هذه هي المرة الأولى التي ترسل فيها وثائق لصحفيين، ابدأ هنا."
 
 #: source_templates/index.html:58
 msgid ""
@@ -968,7 +957,7 @@ msgstr "انقر على <strong>إعدادات الحماية...</strong>"
 msgid ""
 "Turn the Slider to <strong>High</strong>, then click <strong>Ok</strong>"
 msgstr ""
-"أدر شريط التمرير إلى <strong>عالي</strong>, ثم انقر على <strong>Ok</strong>"
+"أدر شريط التمرير إلى <strong>عالي</strong>، ثم انقر على <strong>Ok</strong>"
 
 #: source_templates/index.html:97
 msgid "<a href=\"/\">Click here</a> to refresh the page"
@@ -1002,7 +991,7 @@ msgstr ""
 
 #: source_templates/lookup.html:11
 msgid "Whew, it’s you! Now, the embarrassing part..."
-msgstr "يا للعجب, هذا أنت! والآن الجزء المربك..."
+msgstr "يا للعجب، هذا أنت! والآن الجزء المربك..."
 
 #: source_templates/lookup.html:12
 msgid ""
@@ -1012,8 +1001,8 @@ msgid ""
 "all documents from that day through to our journalists."
 msgstr ""
 "شهدت خوادمنا موجة غير عادية من النشاط الجديد، عند زيارتك الأخيرة. يمكن أن "
-"يكون هذا نشاط بشري, هجوم آلي, أو مجرد علامة ضوئية.  من باب الحذر, فقد علّقنا  "
-"منذ ذلك اليوم، عملية ارسال اي مستند إلى صحافينا."
+"يكون هذا نشاط بشري، هجوم آلي، أو مجرد علامة ضوئية.  من باب الحذر، فقد علّ"
+"قنا  منذ ذلك اليوم، عملية ارسال اي مستند إلى صحافينا."
 
 #: source_templates/lookup.html:14
 msgid ""
@@ -1034,7 +1023,7 @@ msgid ""
 "and messages with our <a href=\"{url}\" class=\"text-link\">public key</a> "
 "before submission. Files are encrypted as they are received by SecureDrop."
 msgstr ""
-"إذا كنت على دراية بGPG, يمكنك إذا تشفير الملفات والرسائل الخاصة بك  بواسطة<a "
+"إذا كنت على دراية بGPG، يمكنك إذا تشفير الملفات والرسائل الخاصة بك  بواسطة<a "
 "href=\"{url}\" class=\"text-link\">مفتاحنا العام</a> قبل ارسالها. يتم تشفير "
 "الملفات كما يتم استلامها من قبل سكوريدروب SecureDrop."
 
@@ -1087,11 +1076,11 @@ msgstr "هل انتهيت من الاطلاع على الردود؟"
 
 #: source_templates/lookup.html:86
 msgid "YES, DELETE ALL REPLIES"
-msgstr "نعم, حذف جميع الردود"
+msgstr "نعم، حذف جميع الردود"
 
 #: source_templates/lookup.html:87
 msgid "NO, NOT YET"
-msgstr "لا, ليس بعد"
+msgstr "لا، ليس بعد"
 
 #: source_templates/lookup.html:91
 msgid "There are no replies at this time."
@@ -1115,7 +1104,7 @@ msgstr "الصفحة غير موجودة"
 
 #: source_templates/notfound.html:5
 msgid "Sorry, we couldn't locate what you requested."
-msgstr "نأسف, لم نتمكن من إيجاد ما طلبته."
+msgstr "نأسف، لم نتمكن من إيجاد ما طلبته."
 
 #: source_templates/session_timeout.html:6
 msgid ""
@@ -1124,10 +1113,10 @@ msgid ""
 "button in the Tor browser to clear all history of your SecureDrop usage from "
 "this device. If you are not using Tor Browser, restart your browser."
 msgstr ""
-"لقد تم تسجيل خروجك نظراً لعدم  تفاعلك!  من فضلك عاود تسجيل الدخول إن كنت "
-"تريد الاستتمرار في استخدام SecureDrop أو اختر \"هوية جديدة\" من خلال الزر "
-"الاخضر  على شكل البصلة في متصفح تور لحذف  جميع سجلات استخدام SecureDrop من "
-"الجهاز. أما إن لم تكن تستخدم متصفح ثور فمن فضلك أعد تشغيل متصفحك."
+"لقد تم تسجيل خروجك نظراً لعدم  تفاعلك!  من فضلك عاود تسجيل الدخول إن كنت تريد "
+"الاستتمرار في استخدام SecureDrop أو اختر \"هوية جديدة\" من خلال الزر الاخضر  "
+"على شكل البصلة في متصفح تور لحذف  جميع سجلات استخدام SecureDrop من الجهاز. "
+"أما إن لم تكن تستخدم متصفح ثور فمن فضلك أعد تشغيل متصفحك."
 
 #: source_templates/tor2web-warning.html:3
 msgid "Why is there a warning about Tor2Web?"
@@ -1151,10 +1140,10 @@ msgid ""
 "connection could be MITM'ed by a capable adversary."
 msgstr ""
 "شبكة Tor2Web تقوم بحماية الناشرين فقط ولكنها لا تحمي القرّاء. اذا قمت بتحميل "
-"المستندات باستخدام Tor2Web وأرسلتها لنا بواسطته, فانك <strong>مكشوف</strong> "
+"المستندات باستخدام Tor2Web وأرسلتها لنا بواسطته، فانك <strong>مكشوف</strong> "
 "و يمكن تحديد هويتك من خلال  من يزودك الانترنت أو عن طريق    خادم وكيل ك "
 "Tor2Web . بالإضافة إلى ذلك و كما أن مواقع تور ويب Tor2Web  لا تعمل بنظام "
-"HTTPS, فانه من الممكن أن  ينم اعتراض اتصالك قد اعترض من قبل  خصم بارع."
+"HTTPS، فانه من الممكن أن  ينم اعتراض اتصالك قد اعترض من قبل  خصم بارع."
 
 #: source_templates/tor2web-warning.html:6
 msgid ""
@@ -1162,7 +1151,7 @@ msgid ""
 "to install <a href=\"torproject.org/download.html.en\">Tor</a> and use it to "
 "access our site safely and anonymously."
 msgstr ""
-"إذا كنت تريد إرسال المعلومات, فانه <strong> ينصح بشدة</strong> تنزيل <a href="
+"إذا كنت تريد إرسال المعلومات، فانه <strong> ينصح بشدة</strong> تنزيل <a href="
 "\"torproject.org/download.html.en\"> تور </a>واستخدامه للوصول الى موقعنا "
 "بأمان و  بخصوصية تامة أي من دون الكشف عن هويتك."
 
@@ -1174,7 +1163,7 @@ msgstr "عليك استخدام متصفح تور Tor"
 msgid ""
 "If you are not using Tor Browser, you <strong>may not be anonymous</strong>."
 msgstr ""
-"اذا كنت لا تستخدم متصفح تور, فانه <strong>   قد تكون هويتك ونشاطك الرقمي "
+"اذا كنت لا تستخدم متصفح تور، فانه <strong>   قد تكون هويتك ونشاطك الرقمي "
 "مكشوفين</strong>."
 
 #: source_templates/use-tor-browser.html:5
@@ -1183,8 +1172,8 @@ msgid ""
 "you</strong> to install Tor Browser and use it to access our site safely and "
 "anonymously."
 msgstr ""
-"إذا رغبت بإرسال معلومات لسيكيور دروب SecureDrop, فاننا <strong>ننصحك بشدة</"
-"strong> أن تنزل متصفح تور و استخدامه للدخول الى موقعنا بأمان و \n"
+"إذا رغبت بإرسال معلومات لسيكيور دروب SecureDrop، فاننا <strong>ننصحك "
+"بشدة</strong> أن تنزل متصفح تور و استخدامه للدخول الى موقعنا بأمان و \n"
 " بصورة مجهول ."
 
 #: source_templates/use-tor-browser.html:6
@@ -1213,7 +1202,7 @@ msgid ""
 "If you are already familiar with the GPG encryption software, you may wish "
 "to encrypt your submissions yourself. To do so:"
 msgstr ""
-"إذا كنت على دراية ببرمجية التشفير GPG , فقد ترغب بتشفير  ملفاتك بنفسك. "
+"إذا كنت على دراية ببرمجية التشفير GPG ، فقد ترغب بتشفير  ملفاتك بنفسك. "
 "للقيام بذلك:"
 
 #: source_templates/why-journalist-key.html:7
@@ -1234,7 +1223,7 @@ msgid ""
 "<code>.asc</code> file you just downloaded and it will be automatically "
 "imported to your keyring."
 msgstr ""
-"اذا كنت تستخدم <a href=\"{url}\">Tails</a>, فانه يمكنك القيام بالنقر مرتين "
+"اذا كنت تستخدم <a href=\"{url}\">Tails</a>، فانه يمكنك القيام بالنقر مرتين "
 "على<code>asc</code>الذي قمت بتنزيله و سيتم بادخاله تلقائيا الى كلمات المرور "
 "المحفوظة الخاصة بك."
 
@@ -1243,8 +1232,8 @@ msgid ""
 "If you are using Mac/Linux, open the terminal. You can import the key with "
 "<code>gpg --import /path/to/key.asc</code>."
 msgstr ""
-"إذا كنت تستخدم Mac/Linux, قم بفتح الطرفية وبإستيراد المفتاح من خلال ا "
-"<code>gpg --import /path/to/key.asc</code>."
+"إذا كنت تستخدم Mac/Linux، قم بفتح الطرفية وبإستيراد المفتاح من خلال ا <code>"
+"gpg --import /path/to/key.asc</code>."
 
 #: source_templates/why-journalist-key.html:14
 msgid "Encrypt your submission."
@@ -1258,7 +1247,7 @@ msgid ""
 "asc</code>!)"
 msgstr ""
 "يجب أن تكون قادر على تحديد المفتاح (المسمّى  ب\"هوية المستخدم\" أو رقم "
-"التعريف). نظرا لأن اسم ملف المفتاح العام هو بصمة المفتاح, يمكنك فقط نسخه و "
+"التعريف). نظرا لأن اسم ملف المفتاح العام هو بصمة المفتاح، يمكنك فقط نسخه و "
 "لصقه. (لا تنسخ أيضاً <code>إمتداد الملف</code>!)"
 
 #: source_templates/why-journalist-key.html:17
@@ -1266,7 +1255,7 @@ msgid ""
 "On all systems, open the Terminal and use this gpg command: <code>gpg --"
 "recipient &lt;user ID&gt; --encrypt roswell_photos.pdf</code>"
 msgstr ""
-"في جميع الأنظمة, قم بفتح الطرفية وأستعمل أمر gpg التالي: <code>gpg --"
+"في جميع الأنظمة، قم بفتح الطرفية وأستعمل أمر gpg التالي: <code>gpg --"
 "recipient &lt;user ID&gt; --encrypt roswell_photos.pdf</code>"
 
 #: source_templates/why-journalist-key.html:20
@@ -1291,3 +1280,6 @@ msgstr ""
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "الرجوع الى صفحة الارسال"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "{msg_num} رسائل"
diff --git a/securedrop/translations/de_DE/LC_MESSAGES/messages.po b/securedrop/translations/de_DE/LC_MESSAGES/messages.po
index aabdb55985c..adcb70ad3de 100644
--- a/securedrop/translations/de_DE/LC_MESSAGES/messages.po
+++ b/securedrop/translations/de_DE/LC_MESSAGES/messages.po
@@ -3,7 +3,7 @@ msgstr ""
 "Project-Id-Version: SecureDrop \\'0.3.5\\'\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-29 09:49+0000\n"
+"PO-Revision-Date: 2017-12-04 13:00+0000\n"
 "Last-Translator: heartsucker <heartsucker@riseup.net>\n"
 "Language-Team: German "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/de/>\n"
@@ -200,12 +200,12 @@ msgid "No unread submissions in selected collections."
 msgstr "Keine ungelesenen Einreichungen in den ausgewählten Sammlungen."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "Dok. {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} Dok."
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "Nach. {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} Nachr."
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -891,11 +891,11 @@ msgstr ""
 "Bitte notieren Sie sich diesen Decknamen und bewahren Sie ihn an einem "
 "sicheren Ort auf oder merken Sie ihn sich."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "NUTZE EIN NEUER DECKNAMEN"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "NUTZE VORHANDENE DECKNAME"
 
@@ -1317,3 +1317,6 @@ msgstr ""
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "Zurück zur Einreichungsseite"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "Nach. {msg_num}"
diff --git a/securedrop/translations/es_ES/LC_MESSAGES/messages.po b/securedrop/translations/es_ES/LC_MESSAGES/messages.po
index c1b130d212f..20820aada42 100644
--- a/securedrop/translations/es_ES/LC_MESSAGES/messages.po
+++ b/securedrop/translations/es_ES/LC_MESSAGES/messages.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: SecureDrop 0.3.12\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-29 10:00+0000\n"
+"PO-Revision-Date: 2017-12-04 15:00+0000\n"
 "Last-Translator: Anatoli <djanatoli@gmail.com>\n"
 "Language-Team: Spanish "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/es/>\n"
@@ -30,7 +30,7 @@ msgstr "Su sesión ha sido terminada debido a inactividad"
 
 #: journalist_app/account.py:26
 msgid "Incorrect password or two-factor code."
-msgstr "Clave o el código de autenticación de dos factores incorrecta."
+msgstr "Clave o el código de autenticación de dos factores incorrecto."
 
 #: journalist_app/account.py:39
 msgid "Token in two-factor authentication verified."
@@ -50,20 +50,20 @@ msgstr ""
 
 #: journalist_app/admin.py:58
 msgid "That username is already in use"
-msgstr "Ese nombre de usuario ya esta en uso"
+msgstr "Ese nombre de usuario ya está en uso"
 
 #: journalist_app/admin.py:61
 msgid ""
 "An error occurred saving this user to the database. Please inform your "
 "administrator."
 msgstr ""
-"Un error ocurrió al guardar este usuario en la base de datos. Por favor "
+"Ocurrió un error al guardar este usuario en la base de datos. Por favor "
 "informe a su administrador."
 
 #: journalist_app/admin.py:84
 msgid "Token in two-factor authentication accepted for user {user}."
 msgstr ""
-"Token en autenticación de dos factores aceptada para el usuario {user}."
+"Token en autenticación de dos factores aceptado para el usuario {user}."
 
 #: journalist_app/admin.py:118
 msgid "Invalid secret format: please only submit letters A-F and numbers 0-9."
@@ -74,8 +74,8 @@ msgstr ""
 #: journalist_app/admin.py:123
 msgid "Invalid secret format: odd-length secret. Did you mistype the secret?"
 msgstr ""
-"El formato del secreto es invalido: secreto con largo impar. ¿Ha escrito mal "
-"el secreto?"
+"El formato del secreto es invalido: secreto con longitud impar. ¿Ha escrito "
+"mal el secreto?"
 
 #: journalist_app/admin.py:128 journalist_app/main.py:107
 #: journalist_app/utils.py:38
@@ -88,7 +88,7 @@ msgstr "El nombre de usuario \"{user}\" ya lo han tomado."
 
 #: journalist_app/admin.py:197
 msgid "Deleted user '{user}'"
-msgstr "Usuario borrado '{user}'"
+msgstr "Usuario eliminado '{user}'"
 
 #: journalist_app/col.py:47
 msgid "{source_name}'s collection deleted"
@@ -100,22 +100,22 @@ msgstr "No hay colecciones seleccionadas."
 
 #: journalist_app/decorators.py:16
 msgid "Only administrators can access this page."
-msgstr "Solo administradores pueden entrar a esta pagina."
+msgstr "Solo administradores pueden entrar a esta página."
 
 #: journalist_app/forms.py:17
 msgid "Field must be 40 characters long but got {num_chars}."
-msgstr "El area debe ser de 40 caracteres de largo, pero tiene {num_chars}."
+msgstr "El area debe ser de 40 caracteres de longitud, pero tiene {num_chars}."
 
 #: journalist_app/forms.py:28
 msgid ""
 "Field must be at least {min_chars} characters long but only got {num_chars}."
 msgstr ""
-"El area debe ser por lo menos {min_chars}  caracteres de largo, pero sólo "
+"El área debe ser por lo menos {min_chars}  caracteres de longitud, pero sólo "
 "tiene {num_chars}."
 
 #: journalist_app/forms.py:33 source_app/forms.py:11
 msgid "This field is required."
-msgstr "Esta area es obligatoria."
+msgstr "Esta área es obligatoria."
 
 #: journalist_app/forms.py:50
 msgid "You cannot send an empty reply."
@@ -139,7 +139,7 @@ msgstr "La fuente '{original_name}' ha sido renombrada a '{new_name}'"
 
 #: journalist_app/main.py:183
 msgid "No unread submissions for this source."
-msgstr "No hay sumisiones sin leer para esta fuente."
+msgstr "No hay envíos sin leer para esta fuente."
 
 #: journalist_app/utils.py:45
 msgid "Account updated."
@@ -153,17 +153,15 @@ msgstr "El inicio de sesión falló."
 msgid "Please wait at least {seconds} second before logging in again."
 msgid_plural "Please wait at least {seconds} seconds before logging in again."
 msgstr[0] ""
-"Por favor espere al menos {seconds} segundo antes de iniciar la session de "
-"nuevo."
+"Por favor espere al menos {seconds} segundo antes de iniciar sesión de nuevo."
 msgstr[1] ""
-"Por favor espere al menos {seconds} segundos antes de iniciar la session de "
+"Por favor espere al menos {seconds} segundos antes de iniciar sesión de "
 "nuevo."
 
 #: journalist_app/utils.py:95
 msgid "Please wait for a new two-factor token before trying again."
 msgstr ""
-"Por favor espere por una nueva token de dos factores antes de intentarlo de "
-"nuevo."
+"Por favor espere un nuevo token de dos factores antes de intentarlo de nuevo."
 
 #: journalist_app/utils.py:140
 msgid "Submission deleted."
@@ -179,7 +177,7 @@ msgstr[1] "{num} colecciones eliminadas"
 
 #: journalist_app/utils.py:228
 msgid "You submitted a bad password! Password not changed."
-msgstr "¡Envío una contraseña mala! La contraseña no cambio."
+msgstr "¡Envió una contraseña incorrecta! La contraseña no cambió."
 
 #: journalist_app/utils.py:235
 msgid ""
@@ -188,28 +186,28 @@ msgid ""
 "should reset your password again."
 msgstr ""
 "Hubo un error y es posible que la nueva contraseña no se haya guardado "
-"correctamente. Para evitar que usted sea bloqueado de su cuenta, debe "
-"restablecer su contraseña nuevamente."
+"correctamente. Para evitar que se bloquee su cuenta, debe restablecer su "
+"contraseña nuevamente."
 
 #: journalist_app/utils.py:244
 msgid ""
 "Password updated. Don't forget to save it in your KeePassX database. New "
 "password:"
 msgstr ""
-"Contraseña actualizada. No olvides guardarla en tu base de datos KeePassX. "
+"Contraseña actualizada. No olvide guardarla en su base de datos KeePassX. "
 "Contraseña nueva:"
 
 #: journalist_app/utils.py:261
 msgid "No unread submissions in selected collections."
-msgstr "No hay sumisiónes sin leer en las colecciones seleccionadas."
+msgstr "No hay envios sin leer en las colecciones seleccionadas."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "docs {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} docs"
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "mensajes {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} mensajes"
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -218,7 +216,7 @@ msgstr "{num_unread}  sin leer"
 #: journalist_templates/account_edit_hotp_secret.html:6
 #: journalist_templates/admin_edit_hotp_secret.html:7
 msgid "Change Secret"
-msgstr "Cambie Secreto"
+msgstr "Cambiar Secreto"
 
 #: journalist_templates/account_edit_hotp_secret.html:7
 #: journalist_templates/admin_add_user.html:33
@@ -235,7 +233,7 @@ msgstr "CONTINUAR"
 #: journalist_templates/account_new_two_factor.html:4
 #: journalist_templates/admin_new_user_two_factor.html:5
 msgid "Enable Google Authenticator"
-msgstr "Habilite el Autenticador Google"
+msgstr "Habilitar el Autenticador Google"
 
 #: journalist_templates/account_new_two_factor.html:5
 msgid ""
@@ -293,7 +291,7 @@ msgstr ""
 #: journalist_templates/account_new_two_factor.html:17
 #: journalist_templates/admin_new_user_two_factor.html:20
 msgid "Enable YubiKey (OATH-HOTP)"
-msgstr "Habilite el dispositivo YubiKey (OATH-HOTP)"
+msgstr "Habilitar el dispositivo YubiKey (OATH-HOTP)"
 
 #: journalist_templates/account_new_two_factor.html:18
 #: journalist_templates/admin_new_user_two_factor.html:21
@@ -334,7 +332,7 @@ msgstr "Editar"
 
 #: journalist_templates/admin.html:18 journalist_templates/index.html:15
 msgid "Delete"
-msgstr "Borrar"
+msgstr "Eliminar"
 
 #: journalist_templates/admin.html:19
 msgid "Created"
@@ -389,9 +387,9 @@ msgstr ""
 "¡Ya casi termina! Para terminar de agregar este nuevo usuario, haga que "
 "ellos sigan las instrucciones de abajo para configurar la autenticación de "
 "dos factores con el Autenticador Google. Una vez que ellos hayan agregado "
-"una entrada para esta cuenta en la aplicación, haga que ellos ingresen uno "
-"de los códigos de 6 dígitos de la aplicación para confirmar que la "
-"autenticación de dos factores esta configurada correctamente."
+"una entrada para esta cuenta en la aplicación, haga que ingresen uno de los "
+"códigos de 6 dígitos de la aplicación para confirmar que la autenticación de "
+"dos factores esta configurada correctamente."
 
 #: journalist_templates/base.html:24
 msgid "Logged on as"
@@ -433,7 +431,7 @@ msgstr ""
 
 #: journalist_templates/col.html:13
 msgid "Change codename"
-msgstr "Cambie nombre clave"
+msgstr "Cambiar nombre clave"
 
 #: journalist_templates/col.html:14
 msgid "Are you sure you want to generate a new codename?"
@@ -504,7 +502,7 @@ msgstr "Haga clic abajo si desea escribir una respuesta a esta fuente."
 
 #: journalist_templates/col.html:93
 msgid "FLAG THIS SOURCE FOR REPLY"
-msgstr "MARCA ESTA FUENTE PARA RESPONDER"
+msgstr "MARCAR ESTA FUENTE PARA RESPONDER"
 
 #: journalist_templates/col.html:98
 msgid ""
@@ -535,7 +533,7 @@ msgstr[1] ""
 
 #: journalist_templates/delete.html:20
 msgid "PERMANENTLY DELETE FILES"
-msgstr "PERMANENTEMENTE ELIMINAR ARCHIVOS"
+msgstr "ELIMINAR ARCHIVOS PERMANENTEMENTE"
 
 #: journalist_templates/delete.html:23
 msgid "Return to the list of documents for {source_name}…"
@@ -614,11 +612,11 @@ msgid ""
 "is present and ready to set up their device with the new two-factor "
 "credentials. Otherwise, they will be locked out of their account."
 msgstr ""
-"Si un usuario han perdido o comprometido las credenciales de autenticación "
-"de dos factores, puede restablecerlos aquí. <em> Si usted hace esto, "
-"asegúrese de que el usuario está presente y listo para configurar su "
-"dispositivo con las nuevas credenciales de dos-factores. De lo contrario, "
-"ellos serán bloqueados de su cuenta."
+"Si un usuario ha perdido o comprometido las credenciales de autenticación de "
+"dos factores, puede restablecerlas aquí. <em> Si hace esto, asegúrese de que "
+"el usuario está presente y listo para configurar su dispositivo con las "
+"nuevas credenciales de dos-factores. De lo contrario, serán bloqueados de su "
+"cuenta."
 
 #: journalist_templates/edit_account.html:63
 msgid ""
@@ -629,8 +627,8 @@ msgid ""
 msgstr ""
 "Si sus credenciales de autenticación de dos factores se han perdido o se han "
 "comprometido, o si tiene un dispositivo nuevo, usted puede restablecer sus "
-"credenciales aquí. <em> Si usted hace esto, asegúrese de que está listo para "
-"configurar su nuevo dispositivo, de lo contrario se le bloqueará fuera de su "
+"credenciales aquí. <em> Si hace esto, asegúrese de que está listo para "
+"configurar su nuevo dispositivo, de lo contrario se le bloqueará de su "
 "cuenta. </em>"
 
 #: journalist_templates/edit_account.html:65
@@ -641,7 +639,7 @@ msgid ""
 msgstr ""
 "Para restablecer la autenticación de dos factores para aplicaciones móviles "
 "como el Autenticador Google o FreeOTP, elija la primera opción. Para tokens "
-"de hardware como el Yubikey, elija el segundo."
+"de hardware como el Yubikey, elija la segunda."
 
 #: journalist_templates/edit_account.html:85
 msgid "RESET TWO-FACTOR AUTHENTICATION (APP)"
@@ -663,9 +661,9 @@ msgid ""
 "encrypted replies to them."
 msgstr ""
 "SecureDrop generará una clave de encriptación segura para esta fuente la "
-"próxima vez que inicien sesión. Una vez que la llave sea generada, una caja "
-"de respuesta aparecerá bajo de la colección de sus documentos. Usted puede "
-"utilizar esta caja para escribir les respuestas encifradas."
+"próxima vez que inicien sesión. Una vez que la llave sea generada, un cuadro "
+"de respuesta aparecerá debajo de la colección de sus documentos. Puede "
+"utilizar este cuadro para escribir las respuestas encriptadas."
 
 #: journalist_templates/flag.html:10
 msgid "Continue to the list of documents for {codename}..."
@@ -677,7 +675,7 @@ msgstr "Fuentes"
 
 #: journalist_templates/index.html:11
 msgid "Download Unread"
-msgstr "Descarga No Leídas"
+msgstr "Descargar No Leídas"
 
 #: journalist_templates/index.html:12
 msgid "Download"
@@ -753,13 +751,14 @@ msgid ""
 "<strong>WARNING:</strong> You appear to be using Tor2Web. This <strong>does "
 "not</strong> provide anonymity. <a href=\"{url}\">Why is this dangerous?</a>"
 msgstr ""
-"<strong> ADVERTENCIA:</strong> Usted parece estar usando Tor2Web. Este "
-"<strong> no </strong> proporciona anonimato. <a href=\"{url}\"> ¿Porque es "
-"esto peligroso? </a>"
+"<strong> ADVERTENCIA:</strong> Usted parece estar usando Tor2Web. Esto "
+"<strong> no </strong> proporciona anonimato. <a href=\"{url}\"> ¿Por qué "
+"esto es peligroso? </a>"
 
 #: source_app/forms.py:14
 msgid "Field must be between 1 and {max_codename_len} characters long."
-msgstr "Esta area debe estar entre 1 y {max_codename_len} caracteres de largo."
+msgstr ""
+"Esta area debe estar entre 1 y {max_codename_len} caracteres de longitud."
 
 #: source_app/forms.py:17
 msgid "Invalid input."
@@ -791,7 +790,7 @@ msgstr "Gracias! Recibimos su mensaje y documento."
 
 #: source_app/main.py:184
 msgid "Reply deleted"
-msgstr "Contestation eliminada"
+msgstr "Respuesta eliminada"
 
 #: source_app/main.py:201
 msgid "All replies have been deleted"
@@ -799,7 +798,7 @@ msgstr "Todas las repuestas han sido eliminadas"
 
 #: source_app/main.py:215
 msgid "Sorry, that is not a recognized codename."
-msgstr "Lo siento, ese nombre clave no es reconocido."
+msgstr "Lo sentimos, ese nombre clave no es reconocido."
 
 #: source_templates/base.html:6 source_templates/index.html:4
 msgid "Protecting Journalists and Sources"
@@ -846,8 +845,8 @@ msgid ""
 "Thank you for sending this information to us. Please check back later for "
 "replies."
 msgstr ""
-"Gracias por enviarnos esta información. Por favor, chequea de nuevo más "
-"tarde por respuestas."
+"Gracias por enviarnos esta información. Por favor, verifique más tarde por "
+"respuestas."
 
 #: source_templates/first_submission_flashed_message.html:5
 msgid "Forgot your codename?"
@@ -863,7 +862,7 @@ msgid ""
 "our journalists in response to what you submit on the next screen."
 msgstr ""
 "Este nombre clave es el que usted usará en futuras visitas para recibir "
-"mensajes de nuestros periodistas en respuesta a lo que usted envía en la "
+"mensajes de nuestros periodistas en respuesta a lo que usted envíe en la "
 "siguiente pantalla."
 
 #: source_templates/generate.html:29
@@ -875,10 +874,10 @@ msgid ""
 " questions or are interested in additional documents. Unlike passwords, "
 "there is no way to retrieve a lost codename."
 msgstr ""
-"Porque nosotros no utilizamos ninguno de los medios tradicionales para "
-"rastrear a los usuarios de nuestro servicio de <strong>SecureDrop</strong>, "
+"Porque no utilizamos ninguno de los medios tradicionales para rastrear a los "
+"usuarios de nuestro servicio de <strong>SecureDrop</strong>\n"
 "utilizando este nombre clave en visitas futuras es la única manera que "
-"tenemos de comunicarse con usted, si tenemos \n"
+"tenemos de comunicarnos con usted, si tenemos\n"
 "preguntas o estamos interesados en documentos adicionales. A diferencia de "
 "las contraseñas, no hay forma de recuperar un nombre clave perdido."
 
@@ -887,16 +886,16 @@ msgid ""
 "Please either write this codename down and keep it in a safe place, or "
 "memorize it."
 msgstr ""
-"Por favor, ya sea que usted escriba este nombre clave y lo guarde en un "
-"lugar seguro, o bien que lo memorize."
+"Por favor, escriba este nombre clave y guárdelo en un lugar seguro, o "
+"memorizelo."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
-msgstr "USE UN NOMBRE CLAVE NUEVO"
+msgstr "USAR UN NOMBRE CLAVE NUEVO"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
-msgstr "USE NOMBRE CLAVE EXISTENTE"
+msgstr "USAR NOMBRE CLAVE EXISTENTE"
 
 #: source_templates/index.html:17
 msgid ""
@@ -904,10 +903,9 @@ msgid ""
 "anonymity:</strong> <a id=\"disable-js\" href=\"\">Learn how to set it to "
 "high</a>, or ignore this warning to continue."
 msgstr ""
-"<strong> Nosotros recomendamos que corra el control deslizante de seguridad "
-"a Alta para proteger su anonimato:</strong> <a id=\"disable-js\" href="
-"\"\">Aprenda cómo establecerlo en alta</a>, o ignore esta advertencia para "
-"continuar."
+"<strong> Recomendamos que corra el control deslizante de seguridad a Alta "
+"para proteger su anonimato:</strong> <a id=\"disable-js\" href=\"\">Aprenda "
+"cómo establecerlo en alta</a>, o ignore esta advertencia para continuar."
 
 #: source_templates/index.html:18
 msgid ""
@@ -915,10 +913,9 @@ msgid ""
 "\"recommend-tor\" href=\"{tor_browser_url}\">Learn how to install it</a>, or "
 "ignore this warning to continue."
 msgstr ""
-"<strong>Nosotros recomendamos usar el navegador Tor Browser para acceder "
-"SecureDrop:</strong><a id=\"recommend-tor\" href="
-"\"{tor_browser_url}\">Aprenda a como instalar </a>, o ignore esta "
-"advertencia para continuar."
+"<strong>Recomendamos usar el navegador Tor Browser para acceder a SecureDrop:"
+"</strong><a id=\"recommend-tor\" href=\"{tor_browser_url}\">Aprenda a como "
+"instalarlo </a>, o ignore esta advertencia para continuar."
 
 #: source_templates/index.html:41
 msgid "Submit documents for the first time"
@@ -939,8 +936,8 @@ msgid ""
 "If you have already submitted documents in the past, log in here to check "
 "for responses."
 msgstr ""
-"Si usted ya ha enviado documentos en el pasado, inicie sesión para chequear "
-"por respuestas."
+"Si usted ya ha enviado documentos en el pasado, inicie sesión para verificar "
+"si tiene respuestas."
 
 #: source_templates/index.html:65
 msgid "SUBMIT DOCUMENTS"
@@ -948,15 +945,15 @@ msgstr "ENVIAR DOCUMENTOS"
 
 #: source_templates/index.html:73
 msgid "CHECK FOR A RESPONSE"
-msgstr "CHEQUEAR POR CONTESTATION"
+msgstr "VERIFICAR UNA RESPUESTA"
 
 #: source_templates/index.html:92
 msgid ""
 "You appear to be using the Tor Browser. You can turn the Security Slider to "
 "High in 4 easy steps!"
 msgstr ""
-"Parece que usted esta usando el navegador Tor Browser. ¡Usted puede "
-"incrementar la Seguridad a Alta fácilmente en 4 pasos!"
+"Parece que usted esta usando el navegador Tor Browser. ¡Puede incrementar la "
+"Seguridad a Alta fácilmente en 4 pasos!"
 
 #: source_templates/index.html:94
 msgid ""
@@ -973,7 +970,7 @@ msgstr "Haga clic<strong>Configuración de Seguridad ...</strong>"
 msgid ""
 "Turn the Slider to <strong>High</strong>, then click <strong>Ok</strong>"
 msgstr ""
-"Gire el control deslizante para<strong>Alto</strong>, luego dele clic "
+"Gire el control deslizante para<strong>Alto</strong>, luego haga clic "
 "en<strong>OK</strong>"
 
 #: source_templates/index.html:97
@@ -982,7 +979,7 @@ msgstr "<a href=\"/\">Haga clic aquí</a> para actualizar la página"
 
 #: source_templates/login.html:6
 msgid "Enter Codename"
-msgstr "Entre Nombre Clave"
+msgstr "Introduzca Nombre Clave"
 
 #: source_templates/login.html:12
 msgid "Enter your codename"
@@ -1003,9 +1000,9 @@ msgid ""
 "green onion button in the Tor browser to clear all history of your "
 "SecureDrop usage from this device."
 msgstr ""
-"¡Gracias por salir de su sesión! Por favor seleccione \"Nueva Identidad\" "
-"por medio del botón cebolla verde en el navegador Tor para borrar toda la "
-"historia del uso de SecureDrop de este dispositivo."
+"¡Gracias por salir de su sesión! Por favor, seleccione \"Nueva Identidad\" "
+"en el botón cebolla verde en el navegador Tor para borrar todo el historial "
+"de uso de SecureDrop de este dispositivo."
 
 #: source_templates/lookup.html:11
 msgid "Whew, it’s you! Now, the embarrassing part..."
@@ -1019,10 +1016,10 @@ msgid ""
 "all documents from that day through to our journalists."
 msgstr ""
 "Nuestros servidores experimentaron una oleada inusual de nueva actividad, "
-"cuando usted visitó por última vez. Esto podría haber sido la actividad "
-"humana, un ataque automatizado, o simplemente algún bache al azar. Para "
-"errar en el lado de la cautela, nosotros pusimos en espera el envio de todos "
-"los documentos de ese día a través de nuestros periodistas."
+"cuando usted visitó por última vez. Esto podría haber sido actividad humana, "
+"un ataque automatizado, o simplemente algún bache al azar. Para errar en el "
+"lado de la cautela, pusimos en espera el envio de todos los documentos de "
+"ese día a nuestros periodistas."
 
 #: source_templates/lookup.html:14
 msgid ""
@@ -1030,8 +1027,10 @@ msgid ""
 "submission into the hands of a journalist straight away. We’re sorry for the "
 "delay. Please do check back again in a week or so."
 msgstr ""
-"Ahora que sabemos que usted es realmente un humano, nosotros vamos "
-"rápidamente a llevar sus envíos anteriores a las manos de las periodistas."
+"Ahora que sabemos que usted es realmente un humano, nosotros rápidamente "
+"vamos a llevar sus envíos anteriores a las manos de un periodista. Lo "
+"sentimos por la demora. Por favor, vuelva a consultar en una semana más o "
+"menos."
 
 #: source_templates/lookup.html:20
 msgid "Submit Materials"
@@ -1043,9 +1042,9 @@ msgid ""
 "and messages with our <a href=\"{url}\" class=\"text-link\">public key</a> "
 "before submission. Files are encrypted as they are received by SecureDrop."
 msgstr ""
-"Si usted esta familiarizado con GPG, usted puede opcionalmente encifrar sus "
+"Si usted esta familiarizado con GPG, puede opcionalmente encriptar sus "
 "archivos y mensajes con nuestra <a href=\"{url}\" class=\"text-link\">llave "
-"publica</a> antes de enviarlos. Archivos son encifrados tan pronto ellos son "
+"publica</a> antes de enviarlos. Los archivos son encriptados tan pronto son "
 "recibidos por SecureDrop."
 
 #: source_templates/lookup.html:22
@@ -1066,7 +1065,7 @@ msgstr "Escriba un mensaje."
 
 #: source_templates/lookup.html:53
 msgid "Read Replies"
-msgstr "Leer Contestaciones"
+msgstr "Leer Respustas"
 
 #: source_templates/lookup.html:58
 msgid ""
@@ -1076,7 +1075,7 @@ msgid ""
 "respond by submitting a new message above."
 msgstr ""
 "Usted ha recibido una respuesta. Para proteger su identidad en el improbable "
-"caso de que alguien aprenda su nombre clave, por favor borre todas las "
+"caso de que alguien aprenda su nombre clave, por favor, borre todas las "
 "respuestas cuando haya terminado con ellas. Esto también nos permite saber "
 "que usted es consciente de nuestra respuesta. Usted puede responder enviando "
 "un nuevo mensaje arriba."
@@ -1136,11 +1135,11 @@ msgid ""
 "button in the Tor browser to clear all history of your SecureDrop usage from "
 "this device. If you are not using Tor Browser, restart your browser."
 msgstr ""
-"La sesión se ha cerrado debido a la inactividad. Por favor entre de nuevo si "
+"La sesión se ha cerrado debido a inactividad. Por favor, entre de nuevo si "
 "desea continuar usando SecureDrop, o seleccione \"Nueva Identidad\" desde el "
-"botón cebolla verde en el navegador Tor para borrar toda la historia de su "
-"uso SecureDrop de este dispositivo. Si no utiliza el navegador Tor, reinicie "
-"el navegador."
+"botón cebolla verde en el navegador Tor para borrar todo el historial de su "
+"uso de SecureDrop de este dispositivo. Si no utiliza el navegador Tor, "
+"reinicie el navegador."
 
 #: source_templates/tor2web-warning.html:3
 msgid "Why is there a warning about Tor2Web?"
@@ -1164,10 +1163,10 @@ msgid ""
 "Tor2Web sites typically do not use HTTPS, it is possible that your "
 "connection could be MITM'ed by a capable adversary."
 msgstr ""
-"Tor2Web solamente protege publicadores, no lectores. Si usted carga "
-"documentos con nosotros usando Tor2Web, usted <strong>no esta anónimo</"
-"strong> y podría ser identificado por su Proveedor de Servicio de Internet "
-"or por los operadores del Tor2Proxy. Adicionalmente, como sitios de Tor2Web "
+"Tor2Web solamente protege publicadores, no lectores. Si usted nos envía "
+"documentos usando Tor2Web, usted <strong>no esta anónimo</strong> y podría "
+"ser identificado por su Proveedor de Servicio de Internet or por los "
+"operadores del Tor2Proxy. Adicionalmente, como los sitios de Tor2Web "
 "típicamente no usan HTTPS, es posible que su conexión pueda ser atacada con "
 "un ataque de tipo \"Man in the middle\" por un adversario capaz."
 
@@ -1177,7 +1176,7 @@ msgid ""
 "to install <a href=\"torproject.org/download.html.en\">Tor</a> and use it to "
 "access our site safely and anonymously."
 msgstr ""
-"Si desea enviar información, usted esta <strong>fuertemente aconsejado</"
+"Si desea enviar información, usted esta <strong>encarecidamente aconsejado</"
 "strong> a instalar <a href=\"torproject.org/download.html.en\">Tor</a> y "
 "usarlo para entrar a nuestro sitio seguramente y anónimamente."
 
@@ -1189,8 +1188,8 @@ msgstr "Usted Debería Usar Tor Browser"
 msgid ""
 "If you are not using Tor Browser, you <strong>may not be anonymous</strong>."
 msgstr ""
-"Si usted no está usando el Tor Browser, usted <strong> quizá no este "
-"anónimo</strong>."
+"Si no está usando el Tor Browser, usted <strong> quizá no esté anónimo</"
+"strong>."
 
 #: source_templates/use-tor-browser.html:5
 msgid ""
@@ -1198,9 +1197,9 @@ msgid ""
 "you</strong> to install Tor Browser and use it to access our site safely and "
 "anonymously."
 msgstr ""
-"Si usted quiere cargar información a SecureDrop, nosotros <strong> "
-"fuertemente le recomendamos </strong> que instale el Tor Browser y lo use "
-"para entrar a nuestro sitio anónimamente."
+"Si usted quiere enviar información a SecureDrop, nosotros <strong> "
+"encarecidamente le recomendamos </strong> que instale el Tor Browser y lo "
+"use para entrar a nuestro sitio anónimamente."
 
 #: source_templates/use-tor-browser.html:6
 msgid ""
@@ -1220,9 +1219,9 @@ msgid ""
 "messages and files before submission can provide an extra layer of security "
 "before your data reaches the SecureDrop server."
 msgstr ""
-"SecureDrop encifra archivos y mensajes después de haber sido cargados. "
-"Encriptado de mensajes y archivos antes de la sumisión puede proveer una "
-"capa extra de seguridad a su información antes de que llegue al servidor de "
+"SecureDrop encripta archivos y mensajes después de haber sido enviados. "
+"Encriptar mensajes y archivos antes de enviarlos puede proveer una capa "
+"extra de seguridad a su información antes de que llegue al servidor de "
 "SecureDrop."
 
 #: source_templates/why-journalist-key.html:5
@@ -1230,8 +1229,8 @@ msgid ""
 "If you are already familiar with the GPG encryption software, you may wish "
 "to encrypt your submissions yourself. To do so:"
 msgstr ""
-"Si usted ya esta familiarizado encifrando con el software GPG, es posible "
-"que usted desee encifrar sus sumisiones usted mismo. Para hacer eso:"
+"Si usted ya esta familiarizado encriptando con el software GPG, es posible "
+"que desee encriptar sus envios usted mismo. Para hacer eso:"
 
 #: source_templates/why-journalist-key.html:7
 msgid ""
@@ -1243,7 +1242,7 @@ msgstr ""
 
 #: source_templates/why-journalist-key.html:8
 msgid "Import it into your GPG keyring."
-msgstr "Importelo en su llavero GPG."
+msgstr "Importela en su llavero GPG."
 
 #: source_templates/why-journalist-key.html:10
 msgid ""
@@ -1251,9 +1250,9 @@ msgid ""
 "<code>.asc</code> file you just downloaded and it will be automatically "
 "imported to your keyring."
 msgstr ""
-"Si usted esta usando <a href=\"{url}\">Tails</a>, usted puede darle doble "
-"click al archivo <code>.asc</code> que acaba de bajar y este automáticamente "
-"va hacer importado a su llavero."
+"Si usted esta usando <a href=\"{url}\">Tails</a>, puede hacer doble click al "
+"archivo <code>.asc</code> que acaba de bajar y este automáticamente va a ser "
+"importado a su llavero."
 
 #: source_templates/why-journalist-key.html:11
 msgid ""
@@ -1265,7 +1264,7 @@ msgstr ""
 
 #: source_templates/why-journalist-key.html:14
 msgid "Encrypt your submission."
-msgstr "Encifre su envío."
+msgstr "Encripte su envío."
 
 #: source_templates/why-journalist-key.html:16
 msgid ""
@@ -1275,7 +1274,7 @@ msgid ""
 "asc</code>!)"
 msgstr ""
 "Usted va a necesitar poder identificar la llave (esta es llamada la \"user ID"
-"\" o UID). Ya que el nombre del archivo de la llave publica es la huella "
+"\" o UID). Ya que el nombre del archivo de la llave pública es la huella "
 "digital (con .asc al final), usted puede copiar y pegar eso. (¡No incluya "
 "<code>.asc</code>!)"
 
@@ -1293,8 +1292,8 @@ msgid ""
 "unencrypted file, with .gpg at the end (e.g. <code>roswell_photos.pdf.gpg</"
 "code>)"
 msgstr ""
-"Suba su sumisión encifrada. Este va tener el mismo nombre de archivo como el "
-"archivo que no esta encifrado, con .gpg al final (por "
+"Suba su envío encriptado. Este va tener el mismo nombre de archivo como el "
+"archivo que no esta encriptado, con .gpg al final (por "
 "ejemplo<code>roswell_photos.pdf.gpg</code>)"
 
 #: source_templates/why-journalist-key.html:23
@@ -1304,10 +1303,13 @@ msgid ""
 "<code>-s</code> flag) as this will reveal your GPG identity to us."
 msgstr ""
 "<strong>Tip:</strong> Si usted desea permanecer anónimo,<strong>no </strong> "
-"use GPG para firmar el archivo encifrado (con el <code> --sign</code> or "
+"use GPG para firmar el archivo encriptado (con el <code> --sign</code> or "
 "<code> -s</code> marca) ya que esto va revelar su identidad de GPG a "
 "nosotros."
 
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
-msgstr "Regresar a la pagina de sumisión"
+msgstr "Regresar a la pagina de envío"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "mensajes {msg_num}"
diff --git a/securedrop/translations/fr_FR/LC_MESSAGES/messages.po b/securedrop/translations/fr_FR/LC_MESSAGES/messages.po
index 8cdfeb52f7f..7bb491f2335 100644
--- a/securedrop/translations/fr_FR/LC_MESSAGES/messages.po
+++ b/securedrop/translations/fr_FR/LC_MESSAGES/messages.po
@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: SecureDrop 0.3.12\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-20 23:00+0000\n"
-"Last-Translator: AO <french.coordinator@rbox.me>\n"
+"PO-Revision-Date: 2017-12-04 10:28+0000\n"
+"Last-Translator: Loic Dachary <loic@dachary.org>\n"
 "Language-Team: French "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/fr/>\n"
 "Language: fr_FR\n"
@@ -122,7 +122,7 @@ msgstr "Ce champ est exigé."
 
 #: journalist_app/forms.py:50
 msgid "You cannot send an empty reply."
-msgstr "Vous ne pouvez pas envoyer une réponse vide ."
+msgstr "Vous ne pouvez pas envoyer une réponse vide."
 
 #: journalist_app/main.py:118
 msgid "Thanks. Your reply has been stored."
@@ -205,12 +205,12 @@ msgid "No unread submissions in selected collections."
 msgstr "Il n'y a aucun envoi non lu dans les collections sélectionnées."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "documents {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} documents"
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "messages {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} messages"
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -893,11 +893,11 @@ msgstr ""
 "Veuillez soit prendre ce nom de code par écrit et le conserver en lieu sûr, "
 "soit le mémoriser."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "UTILISER UN NOUVEAU NOM DE CODE"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "UTILISER UN NOM DE CODE EXISTANT"
 
@@ -1320,3 +1320,6 @@ msgstr ""
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "Revenir à la page d'envoi"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "messages {msg_num}"
diff --git a/securedrop/translations/messages.pot b/securedrop/translations/messages.pot
index 3016673f2cc..182b21dd22f 100644
--- a/securedrop/translations/messages.pot
+++ b/securedrop/translations/messages.pot
@@ -6,7 +6,7 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: SecureDrop 0.4.4\n"
+"Project-Id-Version: SecureDrop 0.5-rc4\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
@@ -179,11 +179,11 @@ msgid "No unread submissions in selected collections."
 msgstr ""
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
+msgid "{doc_num} docs"
 msgstr ""
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
+msgid "{msg_num} messages"
 msgstr ""
 
 #: journalist_templates/_source_row.html:23
@@ -781,11 +781,11 @@ msgid ""
 "memorize it."
 msgstr ""
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr ""
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr ""
 
diff --git a/securedrop/translations/nb_NO/LC_MESSAGES/messages.po b/securedrop/translations/nb_NO/LC_MESSAGES/messages.po
index 5f06f1b44f8..4399a5b30cc 100644
--- a/securedrop/translations/nb_NO/LC_MESSAGES/messages.po
+++ b/securedrop/translations/nb_NO/LC_MESSAGES/messages.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: SecureDrop 0.3.12\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-28 22:54+0000\n"
+"PO-Revision-Date: 2017-12-02 10:06+0000\n"
 "Last-Translator: Allan Nordhøy <epost@anotheragency.no>\n"
 "Language-Team: Norwegian Bokmål "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/nb_NO/>\n"
@@ -192,12 +192,12 @@ msgid "No unread submissions in selected collections."
 msgstr "Ingen uleste innsendte bidrag i valgte kildeoppføringer."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "dok. {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} dok."
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "meldinger {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} meldinger"
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -863,11 +863,11 @@ msgid ""
 "memorize it."
 msgstr "Husk, eller skriv ned kodenavnet på et sikkert sted."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "BRUK NYTT KODENAVN"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "BRUK EKSISTERENDE KODENAVN"
 
@@ -1280,3 +1280,6 @@ msgstr ""
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "Tilbake til innsendelsesside"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "meldinger {msg_num}"
diff --git a/securedrop/translations/nl/LC_MESSAGES/messages.po b/securedrop/translations/nl/LC_MESSAGES/messages.po
index d1cb2c78f70..1631ce36fc7 100644
--- a/securedrop/translations/nl/LC_MESSAGES/messages.po
+++ b/securedrop/translations/nl/LC_MESSAGES/messages.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: SecureDrop 0.3.12\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
 "POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-11-28 22:54+0000\n"
+"PO-Revision-Date: 2017-12-04 10:36+0000\n"
 "Last-Translator: kwadronaut <kwadronaut@autistici.org>\n"
 "Language-Team: Dutch "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/nl/>\n"
@@ -200,12 +200,12 @@ msgid "No unread submissions in selected collections."
 msgstr "Geen ongelezen inzendingen in de geselecteerde collecties."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "documenten {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} documenten"
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "berichten {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} berichten"
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -878,11 +878,11 @@ msgstr ""
 "Noteer deze codenaam en bewaar op een veilige plaats of leer hem uit het "
 "hoofd."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "GEBRUIK EEN NIEUWE CODENAAM"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "GEBRUIK HUIDIGE CODENAAM"
 
@@ -1299,3 +1299,6 @@ msgstr ""
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "Terug naar inzendingenpagina"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "berichten {msg_num}"
diff --git a/securedrop/translations/pt_BR/LC_MESSAGES/messages.po b/securedrop/translations/pt_BR/LC_MESSAGES/messages.po
index 8d383b4ff24..e1db3f6115f 100644
--- a/securedrop/translations/pt_BR/LC_MESSAGES/messages.po
+++ b/securedrop/translations/pt_BR/LC_MESSAGES/messages.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: SecureDrop 0.4.3\n"
 "Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"PO-Revision-Date: 2017-11-28 22:54+0000\n"
+"PO-Revision-Date: 2017-12-04 13:00+0000\n"
 "Last-Translator: communiaa <ameaneantie@riseup.net>\n"
 "Language-Team: Portuguese (Brazil) "
 "<https://weblate.securedrop.club/projects/securedrop/securedrop/pt_BR/>\n"
@@ -33,11 +33,11 @@ msgstr "Senha ou código de verificação de dois fatores incorreto."
 
 #: journalist_app/account.py:39
 msgid "Token in two-factor authentication verified."
-msgstr "Token de autenticação de dois fatores verificado."
+msgstr "Código de autenticação de dois fatores verificado."
 
 #: journalist_app/account.py:43 journalist_app/admin.py:91
 msgid "Could not verify token in two-factor authentication."
-msgstr "Falha na verificação do token de autenticação de dois fatores."
+msgstr "Não foi possível verificar o código de autenticação de dois fatores."
 
 #: journalist_app/admin.py:47
 msgid ""
@@ -56,13 +56,13 @@ msgid ""
 "An error occurred saving this user to the database. Please inform your "
 "administrator."
 msgstr ""
-"Ocorreu um erro ao tentar salvar este usuário no banco de dados. Favor "
-"informar o administrador."
+"Ocorreu um erro ao tentar salvar este usuário no banco de dados. Por favor, "
+"informe o administrador."
 
 #: journalist_app/admin.py:84
 msgid "Token in two-factor authentication accepted for user {user}."
 msgstr ""
-"Token de autenticação de dois fatores foi aceito para o usuário {user}."
+"O código de autenticação de dois fatores foi aceito para o usuário {user}."
 
 #: journalist_app/admin.py:118
 msgid "Invalid secret format: please only submit letters A-F and numbers 0-9."
@@ -79,7 +79,7 @@ msgstr ""
 #: journalist_app/admin.py:128 journalist_app/main.py:107
 #: journalist_app/utils.py:38
 msgid "An unexpected error occurred! Please inform your administrator."
-msgstr "Ocorreu um erro inesperado! Favor informar o administrador."
+msgstr "Ocorreu um erro inesperado! Por favor, informe o administrador."
 
 #: journalist_app/admin.py:161
 msgid "Username \"{user}\" already taken."
@@ -91,7 +91,7 @@ msgstr "Usuário '{user}' apagado"
 
 #: journalist_app/col.py:47
 msgid "{source_name}'s collection deleted"
-msgstr "Coleção {source_name} apagada"
+msgstr "A coleção de {source_name} foi apagada"
 
 #: journalist_app/col.py:58
 msgid "No collections selected."
@@ -103,13 +103,13 @@ msgstr "Apenas administradores podem acessar esta página."
 
 #: journalist_app/forms.py:17
 msgid "Field must be 40 characters long but got {num_chars}."
-msgstr "Campo deve conter 40 caracteres, mas contém {num_chars}."
+msgstr "Este campo deve conter 40 caracteres, mas contém {num_chars}."
 
 #: journalist_app/forms.py:28
 msgid ""
 "Field must be at least {min_chars} characters long but only got {num_chars}."
 msgstr ""
-"Campo deve conter pelo menos {min_chars} caracteres, mas contém apenas "
+"Este campo deve conter pelo menos {min_chars} caracteres, mas contém apenas "
 "{num_chars}."
 
 #: journalist_app/forms.py:33 source_app/forms.py:11
@@ -122,7 +122,7 @@ msgstr "Não é possível enviar uma resposta em branco."
 
 #: journalist_app/main.py:118
 msgid "Thanks. Your reply has been stored."
-msgstr "Obrigado. Sua resposta foi registrada."
+msgstr "Agradecemos pela contribuição. Sua resposta foi registrada."
 
 #: journalist_app/main.py:139
 msgid "No collections selected for download."
@@ -130,7 +130,7 @@ msgstr "Nenhuma coleção selecionada para download."
 
 #: journalist_app/main.py:142 journalist_app/utils.py:188
 msgid "No collections selected for deletion."
-msgstr "Nenhuma coleção foi selecionada para ser excluída."
+msgstr "Nenhuma coleção selecionada para ser apagada."
 
 #: journalist_app/main.py:168
 msgid "The source '{original_name}' has been renamed to '{new_name}'"
@@ -151,14 +151,18 @@ msgstr "Não foi possível fazer login."
 #: journalist_app/utils.py:84
 msgid "Please wait at least {seconds} second before logging in again."
 msgid_plural "Please wait at least {seconds} seconds before logging in again."
-msgstr[0] "Favor esperar pelo menos {seconds} segundo antes de tentar novamente."
-msgstr[1] "Favor esperar pelo menos {seconds} segundos antes de tentar novamente."
+msgstr[0] ""
+"Por favor, espere pelo menos {seconds} segundo antes de tentar acessar "
+"novamente."
+msgstr[1] ""
+"Por favor, espere pelo menos {seconds} segundos antes de tentar acessar "
+"novamente."
 
 #: journalist_app/utils.py:95
 msgid "Please wait for a new two-factor token before trying again."
 msgstr ""
-"Favor aguardar um novo token de autenticação de dois fatores antes de tentar "
-"novamente."
+"Por favor, aguarde um novo código de autenticação de dois fatores antes de "
+"tentar novamente."
 
 #: journalist_app/utils.py:140
 msgid "Submission deleted."
@@ -174,7 +178,7 @@ msgstr[1] "{num} coleções apagadas"
 
 #: journalist_app/utils.py:228
 msgid "You submitted a bad password! Password not changed."
-msgstr "A senha inserida está incorreta! Senha não alterada."
+msgstr "Senha incorreta! A sua senha não foi alterada."
 
 #: journalist_app/utils.py:235
 msgid ""
@@ -182,8 +186,8 @@ msgid ""
 "correctly. To prevent you from getting locked out of your account, you "
 "should reset your password again."
 msgstr ""
-"Ocorreu um erro, e a nova senha pode não ter sido salva corretamente. Para "
-"não perder o acesso à sua conta, redefina a sua senha."
+"Ocorreu um erro, e a nova senha talvez não tenha sido salva corretamente. "
+"Para não perder o acesso à sua conta, redefina a sua senha."
 
 #: journalist_app/utils.py:244
 msgid ""
@@ -198,12 +202,12 @@ msgid "No unread submissions in selected collections."
 msgstr "Nenhum envio não lido nas coleções selecionadas."
 
 #: journalist_templates/_source_row.html:19
-msgid "docs {doc_num}"
-msgstr "documentos {doc_num}"
+msgid "{doc_num} docs"
+msgstr "{doc_num} documentos"
 
 #: journalist_templates/_source_row.html:20
-msgid "messages {msg_num}"
-msgstr "mensagens {msg_num}"
+msgid "{msg_num} messages"
+msgstr "{msg_num} mensagens"
 
 #: journalist_templates/_source_row.html:23
 msgid "{num_unread} unread"
@@ -212,7 +216,7 @@ msgstr "{num_unread} não lidas"
 #: journalist_templates/account_edit_hotp_secret.html:6
 #: journalist_templates/admin_edit_hotp_secret.html:7
 msgid "Change Secret"
-msgstr "Alterar segredo"
+msgstr "Alterar Segredo"
 
 #: journalist_templates/account_edit_hotp_secret.html:7
 #: journalist_templates/admin_add_user.html:33
@@ -266,7 +270,7 @@ msgid ""
 "Your phone will now be in \"scanning\" mode. When you are in this mode, scan "
 "the barcode below:"
 msgstr ""
-"Seu telefone agora deve estar em modo \"scan\". Escaneie o código de barras "
+"Agora seu telefone deve estar em modo \"scan\". Escaneie o código de barras "
 "abaixo:"
 
 #: journalist_templates/account_new_two_factor.html:14
@@ -325,7 +329,7 @@ msgstr "Editar"
 
 #: journalist_templates/admin.html:18 journalist_templates/index.html:15
 msgid "Delete"
-msgstr "Excluir"
+msgstr "Apagar"
 
 #: journalist_templates/admin.html:19
 msgid "Created"
@@ -341,7 +345,7 @@ msgstr "Editar usuário {username}"
 
 #: journalist_templates/admin.html:26
 msgid "Delete user {username}"
-msgstr "Excluir usuário {username}"
+msgstr "Apagar usuário {username}"
 
 #: journalist_templates/admin.html:31
 msgid "never"
@@ -358,7 +362,7 @@ msgstr "Voltar à interface de administração"
 
 #: journalist_templates/admin_add_user.html:21
 msgid "The user's password will be:"
-msgstr "A senha do usuário será:"
+msgstr "A senha de usuário será:"
 
 #: journalist_templates/admin_add_user.html:24
 #: journalist_templates/edit_account.html:17
@@ -377,11 +381,11 @@ msgid ""
 "them enter one of the 6-digit codes from the app to confirm that two factor "
 "authentication is set up correctly."
 msgstr ""
-"Está quase terminando! Para finalizar a criação este novo usuário, peça para "
-"ele seguir as instruções abaixo e configurar a autenticação de dois fatores "
-"com o Google Authenticator. Ao registrar a nova conta no aplicativo, será "
-"gerado um código de seis dígitos, que deve ser usado pelo usuário para "
-"verificar a configuração da autenticação de dois fatores."
+"Está quase terminando! Para finalizar a criação deste novo usuário, peça "
+"para essa pessoa seguir as instruções abaixo e configurar a autenticação de "
+"dois fatores com o Google Authenticator. Ao registrar a nova conta no "
+"aplicativo, um código de seis dígitos será gerado. Ele deve ser usado pelo "
+"usuário para verificar a configuração da autenticação de dois fatores."
 
 #: journalist_templates/base.html:24
 msgid "Logged on as"
@@ -389,7 +393,7 @@ msgstr "Conectado como"
 
 #: journalist_templates/base.html:26
 msgid "Admin"
-msgstr "Administrador"
+msgstr "Admin"
 
 #: journalist_templates/base.html:28
 msgid "Log Out"
@@ -400,8 +404,8 @@ msgid ""
 "Powered by <br> <img src=\"/static/i/securedrop_small.png\" alt=\"SecureDrop"
 "\">"
 msgstr ""
-"Este site utiliza a tecnologia <br> <img src=\"/static/i/securedrop_small."
-"png\" alt=\"SecureDrop\">"
+"Este site utiliza a tecnologia <br> <img src=\"/static/i/securedrop_small.png"
+"\" alt=\"SecureDrop\">"
 
 #: journalist_templates/base.html:54
 msgid "Powered by <em>SecureDrop {version}</em>."
@@ -417,17 +421,17 @@ msgid ""
 "the first random codename is difficult to say or remember. You can generate "
 "new random codenames as many times as you like."
 msgstr ""
-"Gere um nome codinome aleatório para esta fonte. Recomendamos fazer isso se "
-"o primeiro codinome gerado for difícil de pronunciar ou se lembrar. Você "
-"pode gerar novos codinomes aleatórios quantas vezes quiser."
+"Gerar um novo codinome aleatório para esta fonte. Recomendamos que isso seja "
+"feito caso o primeiro codinome gerado seja difícil de pronunciar ou de "
+"lembrar. Você pode gerar novos codinomes aleatórios quantas vezes quiser."
 
 #: journalist_templates/col.html:13
 msgid "Change codename"
-msgstr "Mudar codinome"
+msgstr "Alterar codinome"
 
 #: journalist_templates/col.html:14
 msgid "Are you sure you want to generate a new codename?"
-msgstr "Tem certeza que quer gerar um novo codinome?"
+msgstr "Tem certeza de que deseja gerar um novo codinome?"
 
 #: journalist_templates/col.html:15 source_templates/lookup.html:72
 msgid "Cancel"
@@ -451,7 +455,7 @@ msgstr "Baixar Seleção"
 
 #: journalist_templates/col.html:27
 msgid "Delete Selected"
-msgstr "Excluir Seleção"
+msgstr "Apagar Seleção"
 
 #: journalist_templates/col.html:55
 msgid "Uploaded Document"
@@ -484,8 +488,8 @@ msgid ""
 "An encryption key will be generated for the source the next time they log "
 "in, after which you will be able to reply to the source here."
 msgstr ""
-"Uma chave criptográfica será gerada para esta fonte da próxima vez que ela "
-"se conectar, após o que você poderá responder a ela por aqui."
+"Uma chave criptográfica será gerada para esta fonte na próxima vez que ela "
+"se conectar. Em seguida, você poderá responder a ela aqui."
 
 #: journalist_templates/col.html:89
 msgid "Click below if you would like to write a reply to this source."
@@ -507,7 +511,7 @@ msgstr ""
 
 #: journalist_templates/col.html:104
 msgid "DELETE COLLECTION"
-msgstr "EXCLUIR COLEÇÃO"
+msgstr "APAGAR COLEÇÃO"
 
 #: journalist_templates/delete.html:5
 msgid ""
@@ -515,12 +519,12 @@ msgid ""
 msgid_plural ""
 "The following {files} files have been selected for <strong>permanent "
 "deletion</strong>:"
-msgstr[0] "O arquivo seguinte será <strong>excluído permanentemente</strong>:"
-msgstr[1] "Os arquivos seguintes serão <strong>excluídos permanentemente</strong>:"
+msgstr[0] "O seguinte arquivo será <strong>apagado definitivamente</strong>:"
+msgstr[1] "Os seguintes arquivos serão <strong>apagados definitivamente</strong>:"
 
 #: journalist_templates/delete.html:20
 msgid "PERMANENTLY DELETE FILES"
-msgstr "EXCLUIR ARQUIVOS PERMANENTEMENTE"
+msgstr "APAGAR ARQUIVOS DEFINITIVAMENTE"
 
 #: journalist_templates/delete.html:23
 msgid "Return to the list of documents for {source_name}…"
@@ -528,15 +532,15 @@ msgstr "Voltar para a lista de documentos de {source_name}…"
 
 #: journalist_templates/edit_account.html:6
 msgid "Edit user \"{user}\""
-msgstr "Editar o usuário \"{user}\""
+msgstr "Editar usuário \"{user}\""
 
 #: journalist_templates/edit_account.html:8
 msgid "Change Username &amp; Admin Status"
-msgstr "Modificar nome de usuário e poderes de administrador"
+msgstr "Alterar nome de usuário e credenciais de administrador"
 
 #: journalist_templates/edit_account.html:12
 msgid "Change username"
-msgstr "Modificar nome de usuário"
+msgstr "Alterar nome de usuário"
 
 #: journalist_templates/edit_account.html:19
 msgid "UPDATE"
@@ -544,7 +548,7 @@ msgstr "ATUALIZAR"
 
 #: journalist_templates/edit_account.html:22
 msgid "Edit your account"
-msgstr "Editar a sua conta"
+msgstr "Editar sua conta"
 
 #: journalist_templates/edit_account.html:25
 msgid "Reset Password"
@@ -560,8 +564,8 @@ msgid ""
 "Your password will be changed immediately, so you will need to save it "
 "before pressing the \"Reset Password\" button."
 msgstr ""
-"Sua senha será modificada imediatamente. Salve sua senha antes de clicar em "
-"\"Redefinir Senha\"."
+"Sua senha será alterada imediatamente. Salve sua senha antes de clicar em \""
+"Redefinir Senha\"."
 
 #: journalist_templates/edit_account.html:34
 msgid "Please enter your current password and two-factor code."
@@ -577,11 +581,11 @@ msgstr "Código de dois fatores"
 
 #: journalist_templates/edit_account.html:46
 msgid "The user's password will be changed to:"
-msgstr "A senha do usuário será alterada para:"
+msgstr "A senha de usuário será alterada para:"
 
 #: journalist_templates/edit_account.html:48
 msgid "Your password will be changed to:"
-msgstr "Sua senha será alterada para:"
+msgstr "A sua senha será alterada para:"
 
 #: journalist_templates/edit_account.html:53
 msgid "RESET PASSWORD"
@@ -599,9 +603,10 @@ msgid ""
 "credentials. Otherwise, they will be locked out of their account."
 msgstr ""
 "Se as credenciais de autentificação de dois fatores de um usuário forem "
-"perdidas ou comprometidas, você pode redefini-las aqui. <em>Caso deseje fazê-"
-"lo, o usuário deve estar presente e preparado para configurar seu aparelho "
-"com as novas credenciais. Caso contrário, ele não poderá acessar a sua conta."
+"perdidas ou comprometidas, você pode redefini-las aqui. <em>Ao fazê-lo, essa "
+"pessoa deve estar presente e preparada para configurar o aparelho dela com "
+"as novas credenciais. Caso contrário, ela não poderá mais acessar a própria "
+"conta."
 
 #: journalist_templates/edit_account.html:63
 msgid ""
@@ -622,8 +627,8 @@ msgid ""
 "the Yubikey, choose the second."
 msgstr ""
 "Para redefinir a autenticação de dois fatores para aplicativos móveis, como "
-"Google Authenticator ou FreeOTP, selecione a primeira opção. Para tokens "
-"como a Yubikey, selecione a segunda."
+"Google Authenticator ou FreeOTP, selecione a primeira opção. Para tokens de "
+"segurança como o Yubikey, selecione a segunda."
 
 #: journalist_templates/edit_account.html:85
 msgid "RESET TWO-FACTOR AUTHENTICATION (APP)"
@@ -635,7 +640,7 @@ msgstr "REDEFINIR A AUTENTICAÇÃO DE DOIS FATORES (TOKEN)"
 
 #: journalist_templates/flag.html:5
 msgid "Thanks!"
-msgstr "Obrigado!"
+msgstr "Agradecemos!"
 
 #: journalist_templates/flag.html:8
 msgid ""
@@ -646,12 +651,12 @@ msgid ""
 msgstr ""
 "O SecureDrop gerará uma chave criptográfica segura para esta fonte da "
 "próxima vez que ela se conectar. Quando a chave tiver sido criada, um campo "
-"de resposta aparecerá abaixo de sua coleção de documentos, através da qual "
-"você poderá escrever mensagens protegidas para esta fonte."
+"de respostas aparecerá abaixo da sua coleção de documentos. Esse campo de "
+"respostas poderá ser usado para redigir mensagens protegidas para esta fonte."
 
 #: journalist_templates/flag.html:10
 msgid "Continue to the list of documents for {codename}..."
-msgstr "Continuar para a lista de documentos de {codename}..."
+msgstr "Acessar a lista de documentos de {codename}..."
 
 #: journalist_templates/index.html:4
 msgid "Sources"
@@ -695,25 +700,26 @@ msgstr "Não Selecionar Nada"
 
 #: journalist_templates/js-strings.html:7
 msgid "Are you sure you want to delete this collection?"
-msgstr "Tem certeza que quer excluir esta coleção?"
+msgstr "Tem certeza de que deseja apagar esta coleção?"
 
 #: journalist_templates/js-strings.html:8
 msgid "Are you sure you want to delete the {size} selected collections?"
-msgstr "Tem certeza que quer excluir as {size} coleções selecionadas?"
+msgstr "Tem certeza de que deseja apagar as {size} coleções selecionadas?"
 
 #: journalist_templates/js-strings.html:9
 msgid "Are you sure you want to delete the {size} selected submissions?"
-msgstr "Tem certeza que quer excluir os {size} itens selecionados?"
+msgstr "Você tem certeza de que deseja apagar os {size} itens selecionados?"
 
 #: journalist_templates/js-strings.html:10
 msgid "Are you sure you want to delete the user {username}?"
-msgstr "Tem certeza que quer excluir o usuário {username}?"
+msgstr "Tem certeza de que deseja apagar o usuário {username}?"
 
 #: journalist_templates/js-strings.html:11
 msgid ""
 "Are you sure you want to reset two-factor authentication for {username}?"
 msgstr ""
-"Tem certeza que quer redefinir a autenticação de dois fatores de {username}?"
+"Tem certeza de que deseja redefinir a autenticação de dois fatores de "
+"{username}?"
 
 #: journalist_templates/login.html:4
 msgid "Login to access the journalist interface"
@@ -732,13 +738,13 @@ msgid ""
 "<strong>WARNING:</strong> You appear to be using Tor2Web. This <strong>does "
 "not</strong> provide anonymity. <a href=\"{url}\">Why is this dangerous?</a>"
 msgstr ""
-"<strong>ATENÇÃO:</strong> você parece estar usando Tor2Web. Isso<strong> "
-"não</strong> lhe confere anonimato. <a href=\"{url}\">Por que isso é "
-"perigoso?</a>"
+"<strong>ATENÇÃO:</strong> Parece que você está usando o Tor2Web, o que "
+"<strong> não</strong> garante o seu anonimato. <a href=\"{url}\">Por que "
+"isso é perigoso?</a>"
 
 #: source_app/forms.py:14
 msgid "Field must be between 1 and {max_codename_len} characters long."
-msgstr "Este campo deve ter de 1 a {max_codename_len} caracteres."
+msgstr "Este campo deve conter entre 1 e {max_codename_len} caracteres."
 
 #: source_app/forms.py:17
 msgid "Invalid input."
@@ -749,8 +755,7 @@ msgid ""
 "You were redirected because you are already logged in. If you want to create "
 "a new account, you should log out first."
 msgstr ""
-"Você foi redirecionado porque já está conectado. Para criar uma nova conta, "
-"é preciso encerrar a sessão."
+"Sessão já iniciada. Para criar uma nova conta, é preciso encerrar a sessão."
 
 #: source_app/main.py:111
 msgid "You must enter a message or choose a file to submit."
@@ -758,15 +763,16 @@ msgstr "É preciso escrever uma mensagem ou escolher um arquivo para enviar."
 
 #: source_app/main.py:144
 msgid "Thanks! We received your message."
-msgstr "Obrigado! Recebemos a sua mensagem."
+msgstr "Agradecemos pela contribuição. Recebemos a sua mensagem."
 
 #: source_app/main.py:146
 msgid "Thanks! We received your document."
-msgstr "Obrigado! Recebemos o seu documento."
+msgstr "Agradecemos pela contribuição. Recebemos o seu documento."
 
 #: source_app/main.py:148
 msgid "Thanks! We received your message and document."
-msgstr "Obrigado! Recebemos a sua mensagem e o seu documento."
+msgstr ""
+"Agradecemos pela contribuição. Recebemos a sua mensagem e o seu documento."
 
 #: source_app/main.py:184
 msgid "Reply deleted"
@@ -798,8 +804,8 @@ msgid ""
 "Like all software, SecureDrop may contain security bugs. Use at your own "
 "risk."
 msgstr ""
-"Como qualquer software, o SecureDrop pode ter falhas de segurança. Use por "
-"sua própria conta e risco."
+"Como todo software, o SecureDrop pode ter falhas de segurança. Use-o por sua "
+"própria conta e risco."
 
 #: source_templates/error.html:3
 msgid "Server error"
@@ -824,7 +830,7 @@ msgid ""
 "Thank you for sending this information to us. Please check back later for "
 "replies."
 msgstr ""
-"Obrigado por nos enviar esta informação. Volte mais tarde para ler as "
+"Agradecemos pela informação. Por favor, retorne mais tarde para ler as "
 "respostas."
 
 #: source_templates/first_submission_flashed_message.html:5
@@ -833,15 +839,15 @@ msgstr "Esqueceu o seu codinome?"
 
 #: source_templates/generate.html:4
 msgid "Welcome"
-msgstr "Bem-vindo"
+msgstr "Boas-vindas"
 
 #: source_templates/generate.html:5
 msgid ""
 "This codename is what you will use in future visits to receive messages from "
 "our journalists in response to what you submit on the next screen."
 msgstr ""
-"Use este codinome para acessar as respostas de nossos jornalistas ao "
-"material que será enviado na página seguinte."
+"Use o codinome abaixo para consultar as respostas de nossos jornalistas ao "
+"material que você enviará na página seguinte."
 
 #: source_templates/generate.html:29
 msgid ""
@@ -852,24 +858,24 @@ msgid ""
 " questions or are interested in additional documents. Unlike passwords, "
 "there is no way to retrieve a lost codename."
 msgstr ""
-"Como não usamos métodos tradicionais para rastrear os usuários de nosso "
-"serviço <strong>SecureDrop</strong>, este codinome será a nossa única "
-"maneira de entrar em contato com você para fazer perguntas ou pedir mais "
-"documentos. Diferentemente de uma senha, não é possível recuperar um "
-"codinome perdido."
+"Como não usamos métodos tradicionais para identificar as pessoas que "
+"utilizam o nosso serviço <strong>SecureDrop</strong>, este codinome será a "
+"nossa única maneira de entrar em contato com você para fazer perguntas ou "
+"pedir mais documentos. Contrariamente a uma senha, não é possível recuperar "
+"um codinome perdido."
 
 #: source_templates/generate.html:36
 msgid ""
 "Please either write this codename down and keep it in a safe place, or "
 "memorize it."
 msgstr ""
-"Por favor, anote o seu codinome e guarde-o em um lugar seguro ou memorize-o."
+"Por favor, anote o seu codinome e guarde-o em um lugar seguro, ou memorize-o."
 
-#: source_templates/generate.html:45
+#: source_templates/generate.html:44
 msgid "USE NEW CODENAME"
 msgstr "USAR UM NOVO CODINOME"
 
-#: source_templates/generate.html:47
+#: source_templates/generate.html:46
 msgid "USE EXISTING CODENAME"
 msgstr "USAR O CODINOME ATUAL"
 
@@ -879,9 +885,9 @@ msgid ""
 "anonymity:</strong> <a id=\"disable-js\" href=\"\">Learn how to set it to "
 "high</a>, or ignore this warning to continue."
 msgstr ""
-"<strong>Ajuste o controle deslizante de segurança para o nível \"Alto\" para "
-"proteger o seu anonimato.</strong><a id=\"disable-js\" href=\"\"> Aprenda a "
-"configurar o nível de segurança</a>, ou ingore este aviso e continue."
+"<strong>Ajuste a barra de segurança para o nível \"Alto\" para proteger o "
+"seu anonimato.</strong><a id=\"disable-js\" href=\"\"> Aprenda como "
+"configurar o nível de segurança</a>, ou ignore este aviso e continue."
 
 #: source_templates/index.html:18
 msgid ""
@@ -889,9 +895,9 @@ msgid ""
 "\"recommend-tor\" href=\"{tor_browser_url}\">Learn how to install it</a>, or "
 "ignore this warning to continue."
 msgstr ""
-"<strong>Recomendamos o uso do navegador Tor para acessar o "
-"SecureDrop:</strong> <a id=\"recommend-tor\" href=\"{tor_browser_url}\">Veja "
-"como instalar o Tor</a>, ou ignore este aviso e continue."
+"<strong>Recomendamos o uso do navegador Tor para acessar o SecureDrop:</"
+"strong> <a id=\"recommend-tor\" href=\"{tor_browser_url}\">Veja como "
+"instalar o Tor</a>, ou ignore este aviso e continue."
 
 #: source_templates/index.html:41
 msgid "Submit documents for the first time"
@@ -899,21 +905,21 @@ msgstr "Enviar documentos pela primeira vez"
 
 #: source_templates/index.html:48
 msgid "Already submitted something?"
-msgstr "Já enviou alguma coisa?"
+msgstr "Já enviou algum material?"
 
 #: source_templates/index.html:54
 msgid ""
 "If this is your first time submitting documents to journalists, start here."
 msgstr ""
-"Se você está enviando documentos para jornalistas pela primeira vez, comece "
-"por aqui."
+"Se você estiver enviando documentos para jornalistas pela primeira vez, "
+"comece por aqui."
 
 #: source_templates/index.html:58
 msgid ""
 "If you have already submitted documents in the past, log in here to check "
 "for responses."
 msgstr ""
-"Se você já enviou documentos antes, faça login aqui para ler as respostas."
+"Se você já tiver enviado documentos, faça login aqui para ler as respostas."
 
 #: source_templates/index.html:65
 msgid "SUBMIT DOCUMENTS"
@@ -976,9 +982,9 @@ msgid ""
 "green onion button in the Tor browser to clear all history of your "
 "SecureDrop usage from this device."
 msgstr ""
-"Obrigado por encerrar a sessão! Agora clique no ícone da cebola verde no seu "
-"navegador Tor e selecione \"Nova Identidade\" para limpar seu histórico de "
-"uso do SecureDrop neste dispositivo."
+"Sessão encerrada. Agora clique no ícone da cebola verde no seu navegador Tor "
+"e selecione \"Nova Identidade\" para limpar seu histórico de uso do "
+"SecureDrop neste dispositivo."
 
 #: source_templates/lookup.html:11
 msgid "Whew, it’s you! Now, the embarrassing part..."
@@ -992,7 +998,7 @@ msgid ""
 "all documents from that day through to our journalists."
 msgstr ""
 "Nossos servidores detectaram um aumento inesperado de novas atividades "
-"durante a sua última visita. Isso pode ter sido causado por usuários, um "
+"durante a sua última visita. Isso pode ter sido causado por usuários, por um "
 "ataque automatizado ou ter sido uma mera anomalia passageira. Por medida de "
 "precaução, suspendemos a entrega de todos os documentos enviados naquele dia "
 "a nossos jornalistas."
@@ -1003,9 +1009,9 @@ msgid ""
 "submission into the hands of a journalist straight away. We’re sorry for the "
 "delay. Please do check back again in a week or so."
 msgstr ""
-"Porém, agora que sabemos que você é mesmo uma pessoa, vamos enviar "
-"imediatamente seus documentos para um jornalista. Pedimos desculpas pelo "
-"atraso. Acesse o site novamente daqui a cerca de uma semana."
+"Agora que sabemos que você é mesmo uma pessoa, vamos enviar imediatamente "
+"seus documentos para nossos jornalistas. Pedimos desculpas pelo atraso. Por "
+"favor, retorne daqui a cerca de uma semana."
 
 #: source_templates/lookup.html:20
 msgid "Submit Materials"
@@ -1019,8 +1025,8 @@ msgid ""
 msgstr ""
 "Se você já conhece o GPG, poderá optar por criptografar seus arquivos e "
 "mensagens com nossa <a href=\"{url}\" class=\"text-link\">chave pública</a> "
-"antes de enviá-los. Os arquivos são criptografados assim que são recebidos "
-"pelo SecureDrop."
+"antes de enviá-los. Os arquivos são criptografados depois de recebidos pelo "
+"SecureDrop."
 
 #: source_templates/lookup.html:22
 msgid "<a href=\"{url}\" class=\"text-link\">Learn more</a>."
@@ -1032,7 +1038,7 @@ msgstr "Você pode enviar um arquivo, uma mensagem ou ambos."
 
 #: source_templates/lookup.html:33
 msgid "Maximum upload size: 500 MB"
-msgstr "Tamanho máximo do envio: 500 MB"
+msgstr "Tamanho máximo de envio: 500 MB"
 
 #: source_templates/lookup.html:36
 msgid "Write a message."
@@ -1049,10 +1055,10 @@ msgid ""
 "with them. This also lets us know that you are aware of our reply. You can "
 "respond by submitting a new message above."
 msgstr ""
-"Você recebeu uma resposta. Para proteger a sua identidade, caso alguém "
-"descubra o seu codinome, favor apagar todas as respostas depois de lidas. "
-"Assim também ficamos sabendo que você leu nossa mensagem. Para responder, "
-"envie uma nova mensagem acima."
+"Você recebeu uma resposta. Para proteger a sua identidade caso alguém "
+"descubra o seu codinome, apague todas as mensagens depois de lidas. Assim, "
+"também ficamos sabendo que você leu nossa mensagem. Para responder, envie "
+"uma nova mensagem acima."
 
 #: source_templates/lookup.html:71
 msgid "Delete this reply?"
@@ -1084,7 +1090,7 @@ msgstr "Não há nenhuma resposta por enquanto."
 
 #: source_templates/lookup.html:100
 msgid "Remember your codename is:"
-msgstr "Não esqueça o seu codinome:"
+msgstr "Lembre-se, o seu codinome é:"
 
 #: source_templates/lookup.html:101
 msgid "Show"
@@ -1092,7 +1098,7 @@ msgstr "Mostrar"
 
 #: source_templates/lookup.html:103
 msgid "Hide"
-msgstr "Esconder"
+msgstr "Ocultar"
 
 #: source_templates/notfound.html:3
 msgid "Page not found"
@@ -1110,9 +1116,9 @@ msgid ""
 "this device. If you are not using Tor Browser, restart your browser."
 msgstr ""
 "Sua sessão foi encerrada por inatividade. Por favor, faça login novamente se "
-"quiser continuar usando o SecureDrop, ou clique no ícone da cebola verdade "
-"do navegador Tor e selecione \"Nova Identidade\" para limpar o seu histórico "
-"de atividade do SecureDrop neste dispositivo. Se não estiver usando o Tor, "
+"quiser continuar usando o SecureDrop, ou clique no ícone da cebola verde do "
+"navegador Tor e selecione \"Nova Identidade\" para limpar o seu histórico de "
+"atividades do SecureDrop neste dispositivo. Se não estiver usando o Tor, "
 "reinicie o navegador."
 
 #: source_templates/tor2web-warning.html:3
@@ -1137,11 +1143,11 @@ msgid ""
 "Tor2Web sites typically do not use HTTPS, it is possible that your "
 "connection could be MITM'ed by a capable adversary."
 msgstr ""
-"O Tor2Web só protege quem publica, e não os leitores. Se você nos enviar "
-"documentos através do Tor2Web, não terá <strong>nenhum anonimato</strong>, "
-"podendo ser identificado pelo seu provedor de acesso ou pelos operadores do "
-"Tor2Web. Além disso, como os sites do Tor2Web não costumam usar HTTPS, sua "
-"conexão pode ser interceptada por terceiros."
+"O Tor2Web só protege quem publica, e não quem lê. Ao nos enviar documentos "
+"por meio do Tor2Web, não espere <strong>nenhum anonimato</strong>. Além "
+"disso, sua identidade será exposta ao seu provedor de acesso à Internet e "
+"aos operadores do Tor2Web. Finalmente, como os sites do Tor2Web não costumam "
+"usar HTTPS, sua conexão pode ser interceptada por terceiros."
 
 #: source_templates/tor2web-warning.html:6
 msgid ""
@@ -1151,7 +1157,7 @@ msgid ""
 msgstr ""
 "Para enviar informações, é <strong>altamente recomendado</strong> instalar o "
 "<a href=\"torproject.org/download.html.en\">Tor</a> e usá-lo para acessar "
-"nosso site com segurança e anonimato."
+"nosso site de modo seguro e anônimo."
 
 #: source_templates/use-tor-browser.html:3
 msgid "You Should Use Tor Browser"
@@ -1161,7 +1167,7 @@ msgstr "Recomendamos o uso do navegador Tor"
 msgid ""
 "If you are not using Tor Browser, you <strong>may not be anonymous</strong>."
 msgstr ""
-"Se não estiver usando o navegador Tor, seu anonimato <strong>não está "
+"Se você não estiver usando o navegador Tor, seu anonimato <strong>não estará "
 "garantido</strong>."
 
 #: source_templates/use-tor-browser.html:5
@@ -1171,8 +1177,8 @@ msgid ""
 "anonymously."
 msgstr ""
 "Para enviar informações para o SecureDrop, é <strong>altamente "
-"recomendado</strong> instalar o Navegador Tor e usá-lo para acessar nosso "
-"site com segurança e anonimato."
+"recomendado</strong> instalar o navegador Tor e usá-lo para acessar nosso "
+"site de modo seguro e anônimo."
 
 #: source_templates/use-tor-browser.html:6
 msgid ""
@@ -1201,8 +1207,8 @@ msgid ""
 "If you are already familiar with the GPG encryption software, you may wish "
 "to encrypt your submissions yourself. To do so:"
 msgstr ""
-"Se você já conhece o software de criptografia GPG, pode querer criptografar "
-"seus dados por conta própria. Para fazê-lo:"
+"Se você já conhece o software de criptografia GPG, talvez queira "
+"criptografar seus dados por conta própria. Para fazê-lo:"
 
 #: source_templates/why-journalist-key.html:7
 msgid ""
@@ -1223,8 +1229,8 @@ msgid ""
 "imported to your keyring."
 msgstr ""
 "Se estiver usando o <a href=\"{url}\">Tails</a>, você pode clicar duas vezes "
-"no arquivo <code>.asc</code> que acaba de baixar para importar "
-"automaticamente a chave."
+"no arquivo <code>.asc</code> que acaba de baixar para importar a chave "
+"automaticamente."
 
 #: source_templates/why-journalist-key.html:11
 msgid ""
@@ -1246,9 +1252,9 @@ msgid ""
 "asc</code>!)"
 msgstr ""
 "Será preciso identificar a chave (chamada \"ID do usuário\", ou \"UID\"). "
-"Como o nome do arquivo da chave pública também funciona como o fingerprint "
-"da chave (com \".asc\" no final), basta copiar e colar esse nome (deixando "
-"de fora a extensão <code>.asc</code>)."
+"Como o nome do arquivo da chave pública também é o seu fingerprint (com a "
+"extensão \".asc\" no final), basta copiar e colar esse nome (deixando de "
+"fora a extensão <code>.asc</code>)."
 
 #: source_templates/why-journalist-key.html:17
 msgid ""
@@ -1256,7 +1262,7 @@ msgid ""
 "recipient &lt;user ID&gt; --encrypt roswell_photos.pdf</code>"
 msgstr ""
 "Em qualquer sistema operacional, abra o terminal (ou prompt de comando) e "
-"execute o seguinte código: <code>gpg --recipient &lt;ID do usuário&gt; --"
+"execute o seguinte comando: <code>gpg --recipient &lt;ID do usuário&gt; --"
 "encrypt roswell_photos.pdf</code>"
 
 #: source_templates/why-journalist-key.html:20
@@ -1266,8 +1272,8 @@ msgid ""
 "code>)"
 msgstr ""
 "Envie o conteúdo criptografado. O nome do arquivo será o mesmo da versão não "
-"criptografada, mas com \".gpg\" no final (por exemplo "
-"<code>roswell_photos.pdf.gpg</code>)"
+"criptografada, mas com \".gpg\" no final (por exemplo <code>roswell_photos."
+"pdf.gpg</code>)"
 
 #: source_templates/why-journalist-key.html:23
 msgid ""
@@ -1275,10 +1281,13 @@ msgid ""
 "strong> use GPG to sign the encrypted file (with the <code>--sign</code> or "
 "<code>-s</code> flag) as this will reveal your GPG identity to us."
 msgstr ""
-"<strong>Dica:</strong> para manter o anonimato, <strong>não</strong> use o "
-"GPG para assinar o arquivo criptografado (com as opções <code>--sign</code> "
-"ou <code>-s</code>), pois isso revelaria a sua identidade."
+"<strong>Dica:</strong> para manter o seu anonimato, <strong>não</strong> use "
+"o GPG para assinar o arquivo criptografado (com as opções <code>--sign</code>"
+" ou <code>-s</code>), pois isso revelaria a sua identidade."
 
 #: source_templates/why-journalist-key.html:25
 msgid "Back to submission page"
 msgstr "Voltar à página de envio"
+
+#~ msgid "messages {msg_num}"
+#~ msgstr "mensagens {msg_num}"

From a426c2a9892f929b8f817d03529f9284c550cb1f Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 4 Dec 2017 19:38:36 +0000
Subject: [PATCH 02/51] SecureDrop 0.5-rc6

---
 changelog.md                                                | 2 +-
 docs/conf.py                                                | 4 ++--
 docs/set_up_admin_tails.rst                                 | 4 ++--
 install_files/ansible-base/group_vars/all/securedrop        | 2 +-
 install_files/securedrop-app-code/DEBIAN/control            | 2 +-
 .../usr/share/doc/securedrop-app-code/changelog.Debian      | 6 ++++++
 install_files/securedrop-keyring/DEBIAN/control             | 2 +-
 install_files/securedrop-ossec-agent/DEBIAN/control         | 2 +-
 install_files/securedrop-ossec-server/DEBIAN/control        | 2 +-
 molecule/builder/tests/vars.yml                             | 2 +-
 securedrop/version.py                                       | 2 +-
 11 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/changelog.md b/changelog.md
index 5b8730fd02b..8a0f765d184 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## 0.5-rc5
+## 0.5-rc6
 
 ### Web Applications
 
diff --git a/docs/conf.py b/docs/conf.py
index 213d6b419f0..3a61b47f0ef 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -59,9 +59,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.5-rc5'
+version = '0.5-rc6'
 # The full version, including alpha/beta/rc tags.
-release = '0.5-rc5'
+release = '0.5-rc6'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
index 72e6ffc4580..38e11d3ed8f 100644
--- a/docs/set_up_admin_tails.rst
+++ b/docs/set_up_admin_tails.rst
@@ -107,8 +107,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.5-rc5
-    git tag -v 0.5-rc5
+    git checkout 0.5-rc6
+    git tag -v 0.5-rc6
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 62f3f4669d1..39b18ff5480 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml host_vars/development.yml
-securedrop_app_code_version: "0.5-rc5"
+securedrop_app_code_version: "0.5-rc6"
 
 grsecurity: true
 install_local_packages: false
diff --git a/install_files/securedrop-app-code/DEBIAN/control b/install_files/securedrop-app-code/DEBIAN/control
index 86a8860aebf..3f63aa0ad88 100644
--- a/install_files/securedrop-app-code/DEBIAN/control
+++ b/install_files/securedrop-app-code/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-app-code
-Version: 0.5-rc5
+Version: 0.5-rc6
 Architecture: amd64
 Depends: python-pip,apparmor-utils,gnupg2,haveged,python,python-pip,secure-delete,sqlite,apache2-mpm-worker,libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring
 Description: Packages the SecureDrop application code pip dependencies and apparmor profiles. This package will put the apparmor profiles in enforce mode. This package does use pip to install the pip wheelhouse
diff --git a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
index 292f9b7ca23..7a1fbb00106 100644
--- a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
+++ b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
@@ -1,3 +1,9 @@
+securedrop-app-code (0.5-rc6) trusty; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 04 Dec 2017 19:38:29 +0000
+
 securedrop-app-code (0.5-rc5) trusty; urgency=medium
 
   * See changelog.md
diff --git a/install_files/securedrop-keyring/DEBIAN/control b/install_files/securedrop-keyring/DEBIAN/control
index 77bb1f3cf16..98893817a8c 100644
--- a/install_files/securedrop-keyring/DEBIAN/control
+++ b/install_files/securedrop-keyring/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.1+0.5-rc5
+Version: 0.1.1+0.5-rc6
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index 4b9e11253de..c7f81875d7c 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.5-rc5
+Version: 2.8.2+0.5-rc6
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring
 Replaces: ossec-agent
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index 121efc5bc44..dce7ab154e2 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.5-rc5
+Version: 2.8.2+0.5-rc6
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring
 Replaces: ossec-server
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index b9a1075a69c..9d07ee2be92 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -1,5 +1,5 @@
 ---
-securedrop_version: "0.5-rc5"
+securedrop_version: "0.5-rc6"
 ossec_version: "2.8.2"
 keyring_version: "0.1.1"
 
diff --git a/securedrop/version.py b/securedrop/version.py
index f0ff1882932..be4eec812e0 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = '0.5-rc5'
+__version__ = '0.5-rc6'

From c6cc6f588058650e4393a0320395e7c2937e1606 Mon Sep 17 00:00:00 2001
From: Loic Dachary <loic@dachary.org>
Date: Tue, 5 Dec 2017 01:59:31 +0100
Subject: [PATCH 03/51] l18n: arabic is postponed to the next version

---
 docs/install.rst                              |    1 -
 .../roles/tails-config/templates/ar.po        |   24 -
 .../ansible-base/securedrop-configure.yml     |    2 +-
 .../translations/ar/LC_MESSAGES/messages.po   | 1285 -----------------
 4 files changed, 1 insertion(+), 1311 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/tails-config/templates/ar.po
 delete mode 100644 securedrop/translations/ar/LC_MESSAGES/messages.po

diff --git a/docs/install.rst b/docs/install.rst
index 3e405f06f89..21b7baab350 100644
--- a/docs/install.rst
+++ b/docs/install.rst
@@ -31,7 +31,6 @@ Localization of the source and journalist interfaces
 The source and journalist interface are translated in the following
 languages:
 
-* Arabic (ar)
 * German (de_DE)
 * Spanish (es_ES)
 * French (fr_FR)
diff --git a/install_files/ansible-base/roles/tails-config/templates/ar.po b/install_files/ansible-base/roles/tails-config/templates/ar.po
deleted file mode 100644
index 8f3b363548e..00000000000
--- a/install_files/ansible-base/roles/tails-config/templates/ar.po
+++ /dev/null
@@ -1,24 +0,0 @@
-# Arabic translations for PACKAGE package.
-# Copyright (C) 2017 Freedom of the Press Foundation
-# This file is distributed under the same license as the PACKAGE package.
-# Automatically generated, 2017.
-#
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: Automatically generated\n"
-"Language-Team: none\n"
-"Language: ar\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=ASCII\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#: desktop-journalist-icon.j2.in:9
-msgid "SecureDrop Journalist Interface"
-msgstr ""
-
-#: desktop-source-icon.j2.in:9
-msgid "SecureDrop Source Interface"
-msgstr ""
diff --git a/install_files/ansible-base/securedrop-configure.yml b/install_files/ansible-base/securedrop-configure.yml
index 535269a4ae2..0c08eb16d67 100644
--- a/install_files/ansible-base/securedrop-configure.yml
+++ b/install_files/ansible-base/securedrop-configure.yml
@@ -112,7 +112,7 @@
 
     - name: securedrop_supported_locales
       # the list is from the securedrop/translations repository
-      prompt: Space separated list of additional locales to support (ar de_DE en_US es_ES fr_FR nb_NO nl)
+      prompt: Space separated list of additional locales to support (de_DE en_US es_ES fr_FR nb_NO nl)
       default: ""
       private: no
 
diff --git a/securedrop/translations/ar/LC_MESSAGES/messages.po b/securedrop/translations/ar/LC_MESSAGES/messages.po
deleted file mode 100644
index 1a0d3d23fe2..00000000000
--- a/securedrop/translations/ar/LC_MESSAGES/messages.po
+++ /dev/null
@@ -1,1285 +0,0 @@
-# Arabic translations for SecureDrop.
-# Copyright (C) 2017 Freedom of the Press Foundation
-# This file is distributed under the same license as the SecureDrop project.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
-#
-msgid ""
-msgstr ""
-"Project-Id-Version: SecureDrop 0.3.12\n"
-"Report-Msgid-Bugs-To: securedrop@freedom.press\n"
-"POT-Creation-Date: 2017-09-02 07:28+0000\n"
-"PO-Revision-Date: 2017-12-03 21:00+0000\n"
-"Last-Translator: ramyraoof <ramy.raoof@gmail.com>\n"
-"Language-Team: Arabic "
-"<https://weblate.securedrop.club/projects/securedrop/securedrop/ar/>\n"
-"Language: ar\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=6; plural=n==0 ? 0 : n==1 ? 1 : n==2 ? 2 : n%100>=3 "
-"&& n%100<=10 ? 3 : n%100>=11 ? 4 : 5;\n"
-"X-Generator: Weblate 2.17.1\n"
-"Generated-By: Babel 2.4.0\n"
-
-#: template_filters.py:14
-msgid "{time} ago"
-msgstr "{time} مضى"
-
-#: journalist_app/__init__.py:34 journalist_app/__init__.py:66
-msgid "You have been logged out due to inactivity"
-msgstr "تم تسجيل الخروج بسبب خمول النشاط"
-
-#: journalist_app/account.py:26
-msgid "Incorrect password or two-factor code."
-msgstr "كلمة السر أو رمز التحقق بخطوتين غير صحيح"
-
-#: journalist_app/account.py:39
-msgid "Token in two-factor authentication verified."
-msgstr "تم تصديق رمز التحقق بخطوتين."
-
-#: journalist_app/account.py:43 journalist_app/admin.py:91
-msgid "Could not verify token in two-factor authentication."
-msgstr "تعذّر التثبت من رمز التحقق بخطوتين."
-
-#: journalist_app/admin.py:47
-msgid ""
-"There was an error with the autogenerated password. User not created. Please "
-"try again."
-msgstr ""
-"تعذر إنشاء حساب مستخدم بسبب وقوع خطأ أثناء توليد كلمة السر. رجاء المحاولة "
-"مرة أخرى."
-
-#: journalist_app/admin.py:58
-msgid "That username is already in use"
-msgstr "اسم المستخدم غير متوفر"
-
-#: journalist_app/admin.py:61
-msgid ""
-"An error occurred saving this user to the database. Please inform your "
-"administrator."
-msgstr ""
-"لقد وقع خطأ أثناء عملية تسجيل المستخدم بقاعدة البيانات. رجاء إبلاغ المدير "
-"التقني."
-
-#: journalist_app/admin.py:84
-msgid "Token in two-factor authentication accepted for user {user}."
-msgstr "تمّ قبول رمز التحقق بخطوتين للمستخدم {user}."
-
-#: journalist_app/admin.py:118
-msgid "Invalid secret format: please only submit letters A-F and numbers 0-9."
-msgstr ""
-"صيغة البيانات السرية غير صحيحة:  رجاء استخدام الأحرف من A-F والأرقام من 9-0 "
-"فقط."
-
-#: journalist_app/admin.py:123
-msgid "Invalid secret format: odd-length secret. Did you mistype the secret?"
-msgstr ""
-"صيغة البيانات السرية غير صحيحة: طول العبارة السرية يجب أن يكون عدد زوجي وليس "
-"فردي. رجاء ضبط الصيغة"
-
-#: journalist_app/admin.py:128 journalist_app/main.py:107
-#: journalist_app/utils.py:38
-msgid "An unexpected error occurred! Please inform your administrator."
-msgstr "لقد وقع خطأ غير متوقع. رجاء إبلاغ المسئول التقني."
-
-#: journalist_app/admin.py:161
-msgid "Username \"{user}\" already taken."
-msgstr "تم تخصيص اسم {user} لمستخدم آخر."
-
-#: journalist_app/admin.py:197
-msgid "Deleted user '{user}'"
-msgstr "تم حذف حساب المستخدم '{user}'"
-
-#: journalist_app/col.py:47
-msgid "{source_name}'s collection deleted"
-msgstr "مجموعة {source_name} حُذفت"
-
-#: journalist_app/col.py:58
-msgid "No collections selected."
-msgstr "لم يتم تحديد أي مجموعة."
-
-#: journalist_app/decorators.py:16
-msgid "Only administrators can access this page."
-msgstr "النفاذ للصفحة متاح للمسؤولين فقط."
-
-#: journalist_app/forms.py:17
-msgid "Field must be 40 characters long but got {num_chars}."
-msgstr "يجب أن يتضمن هذا الحقل 40 رمزا ولكنه مكوّن من {num_chars}."
-
-#: journalist_app/forms.py:28
-msgid ""
-"Field must be at least {min_chars} characters long but only got {num_chars}."
-msgstr ""
-"يجب أن يكون الحقل مكون من {min_chars} على الأقل وحاليا مشكل من {num_chars}."
-
-#: journalist_app/forms.py:33 source_app/forms.py:11
-msgid "This field is required."
-msgstr "هذا الحقل إلزامي."
-
-#: journalist_app/forms.py:50
-msgid "You cannot send an empty reply."
-msgstr "لا يمكن إرسال رد فارغ."
-
-#: journalist_app/main.py:118
-msgid "Thanks. Your reply has been stored."
-msgstr "شكرا. لقد تم تخزين ردك."
-
-#: journalist_app/main.py:139
-msgid "No collections selected for download."
-msgstr "لم يتم اختيار أي مجموعة للتنزيل."
-
-#: journalist_app/main.py:142 journalist_app/utils.py:188
-msgid "No collections selected for deletion."
-msgstr "لم يتم تحديد مجموعات لحذفها."
-
-#: journalist_app/main.py:168
-msgid "The source '{original_name}' has been renamed to '{new_name}'"
-msgstr "تمت إعادة تسمية المصدر '{original_name}' إلى '{new_name}'"
-
-#: journalist_app/main.py:183
-msgid "No unread submissions for this source."
-msgstr "لا توجد رسائل غير مقروءة من هذا المصدر."
-
-#: journalist_app/utils.py:45
-msgid "Account updated."
-msgstr "تم تحديث الحساب بنجاح."
-
-#: journalist_app/utils.py:76
-msgid "Login failed."
-msgstr "فشل تسجيل الدخول."
-
-#: journalist_app/utils.py:84
-msgid "Please wait at least {seconds} second before logging in again."
-msgid_plural "Please wait at least {seconds} seconds before logging in again."
-msgstr[0] ""
-"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-msgstr[1] ""
-"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-msgstr[2] ""
-"رجاء الانتظار {seconds} ثانية على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-msgstr[3] ""
-"رجاء الانتظار {seconds} ثوان على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-msgstr[4] ""
-"رجاء الانتظار {seconds} ثواني على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-msgstr[5] ""
-"رجاء الانتظار {seconds} ثواني على الأقل قبل محاولة تسجيل الدخول مرة أخرى."
-
-#: journalist_app/utils.py:95
-msgid "Please wait for a new two-factor token before trying again."
-msgstr "الرجاء انتظار رمز تحقق بخطوتين جديد قبل إعادة المحاولة."
-
-#: journalist_app/utils.py:140
-msgid "Submission deleted."
-msgid_plural "Submissions deleted."
-msgstr[0] "لم يتم حذف اي رسالة (0)."
-msgstr[1] "تم حذف الرسالة (1)."
-msgstr[2] "تم حذف رسالتان."
-msgstr[3] "تم حذف  بعض الرسائل."
-msgstr[4] "تم حذف العديد من الرسائل."
-msgstr[5] "تم حذف المزيد من الرسائل."
-
-#: journalist_app/utils.py:193
-msgid "{num} collection deleted"
-msgid_plural "{num} collections deleted"
-msgstr[0] "لم يتم حذف أي مجموعة {num}"
-msgstr[1] "حذفت مجموعة واحدة {num}"
-msgstr[2] "حذفت مجموعتين {num}"
-msgstr[3] "حذفت بعض المجموعات {num}"
-msgstr[4] "حذف الكثير من المجموعات {num}"
-msgstr[5] "حذف المزيد من المجموعات {num}"
-
-#: journalist_app/utils.py:228
-msgid "You submitted a bad password! Password not changed."
-msgstr "كلمة سر غير صحيحة! وبالتالي لم تتغير."
-
-#: journalist_app/utils.py:235
-msgid ""
-"There was an error, and the new password might not have been saved "
-"correctly. To prevent you from getting locked out of your account, you "
-"should reset your password again."
-msgstr ""
-"لم يتم حفظ كلمة السر الجديدة بشكل صحيح بسبب وقوع خطأ. ينبغي عليك إعادة ضبط "
-"كلمة السر مرة أخرى لتجنب فقدان النفاذ لحسابك."
-
-#: journalist_app/utils.py:244
-msgid ""
-"Password updated. Don't forget to save it in your KeePassX database. New "
-"password:"
-msgstr ""
-"تم تحديث كلمة السر. رجاء إدراجها في قاعدة بيانات KeePassX الخاصة بك . كلمة "
-"السر الجديدة:"
-
-#: journalist_app/utils.py:261
-msgid "No unread submissions in selected collections."
-msgstr "لا توجد رسائل غير مقروءة في المجموعات المختارة."
-
-#: journalist_templates/_source_row.html:19
-#, fuzzy
-#| msgid "docs {doc_num}"
-msgid "{doc_num} docs"
-msgstr "{doc_num} مستندات"
-
-#: journalist_templates/_source_row.html:20
-msgid "{msg_num} messages"
-msgstr "{msg_num} رسائل"
-
-#: journalist_templates/_source_row.html:23
-msgid "{num_unread} unread"
-msgstr "{num_unread} غير مقروء"
-
-#: journalist_templates/account_edit_hotp_secret.html:6
-#: journalist_templates/admin_edit_hotp_secret.html:7
-msgid "Change Secret"
-msgstr "تغيير البيان السري"
-
-#: journalist_templates/account_edit_hotp_secret.html:7
-#: journalist_templates/admin_add_user.html:33
-#: journalist_templates/admin_edit_hotp_secret.html:8
-msgid "HOTP Secret"
-msgstr "نظام HOTP أو الكلمة السرية لمرة واحدة"
-
-#: journalist_templates/account_edit_hotp_secret.html:9
-#: journalist_templates/admin_edit_hotp_secret.html:10
-#: source_templates/login.html:23
-msgid "CONTINUE"
-msgstr "المتابعة"
-
-#: journalist_templates/account_new_two_factor.html:4
-#: journalist_templates/admin_new_user_two_factor.html:5
-msgid "Enable Google Authenticator"
-msgstr "قم بتفعيل Google Authenticator"
-
-#: journalist_templates/account_new_two_factor.html:5
-msgid ""
-"You're almost done! To finish resetting your two-factor authentication, "
-"follow the instructions below to set up Google Authenticator. Once you've "
-"added the entry for your account in the app, enter one of the 6-digit codes "
-"from the app to confirm that two factor authentication is set up correctly."
-msgstr ""
-"أنت على وشك الانتهاء! لإتمام إعادة ضبط التحقق بخطوتين اتبع التعليمات أدناه "
-"لإعداد Google Authenticator.  بعد إضافة حسابك في التطبيق قم بإدخال إحدى "
-"الرموز المكونة من 6 أرقام للتأكد من أنه سلامة الإعداد."
-
-#: journalist_templates/account_new_two_factor.html:8
-#: journalist_templates/admin_new_user_two_factor.html:9
-msgid "Install Google Authenticator on your phone"
-msgstr "قم بتنزيل تطبيق Google Authenticator على هاتفك المحمول"
-
-#: journalist_templates/account_new_two_factor.html:9
-#: journalist_templates/admin_new_user_two_factor.html:10
-msgid "Open the Google Authenticator app"
-msgstr "افتح تطبيق Google Authenticator"
-
-#: journalist_templates/account_new_two_factor.html:10
-#: journalist_templates/admin_new_user_two_factor.html:11
-msgid "Tap menu, then tap \"Set up account\", then tap \"Scan a barcode\""
-msgstr ""
-"اضغط على على علامة الزائد لإضافة حساب جديد، ثم اختر \"مسح رمز شريطي ضوئيًا\""
-
-#: journalist_templates/account_new_two_factor.html:11
-#: journalist_templates/admin_new_user_two_factor.html:12
-msgid ""
-"Your phone will now be in \"scanning\" mode. When you are in this mode, scan "
-"the barcode below:"
-msgstr ""
-"الهاتف الآن سيصبح في في وضعية \"المسح الضوئي\". قم الآن بمسح الرمز التالي:"
-
-#: journalist_templates/account_new_two_factor.html:14
-#: journalist_templates/admin_new_user_two_factor.html:15
-msgid "Can't scan the barcode? Enter the following code manually:"
-msgstr ""
-"لم تتمكن من مسح الرمز  عن طريق المسح الضوئي؟ قم بإدخال الرمز التالي يدويا:"
-
-#: journalist_templates/account_new_two_factor.html:15
-#: journalist_templates/admin_new_user_two_factor.html:18
-msgid "Once you have scanned the barcode, enter the 6-digit code below:"
-msgstr "بعد انتهاء خطوة المسح الضوئي، قم بإدخال الرمز المكون من 6 أرقام:"
-
-#: journalist_templates/account_new_two_factor.html:17
-#: journalist_templates/admin_new_user_two_factor.html:20
-msgid "Enable YubiKey (OATH-HOTP)"
-msgstr "قم بتفعيل (YubiKey (OATH-HOTP"
-
-#: journalist_templates/account_new_two_factor.html:18
-#: journalist_templates/admin_new_user_two_factor.html:21
-msgid "Once you have configured your YubiKey, enter the 6-digit code below:"
-msgstr ""
-"بعد الانتهاء من ضبط مفتاح المصادقة الخاص بك \"YubiKey\"، أدخل الرمز المكون "
-"من 6 أرقام:"
-
-#: journalist_templates/account_new_two_factor.html:22
-#: journalist_templates/admin_new_user_two_factor.html:25
-msgid "Verification code"
-msgstr "رمز التحقق"
-
-#: journalist_templates/account_new_two_factor.html:24
-#: journalist_templates/admin_new_user_two_factor.html:27
-#: journalist_templates/col.html:83 source_templates/lookup.html:45
-msgid "SUBMIT"
-msgstr "إرسال"
-
-#: journalist_templates/admin.html:3
-msgid "Admin Interface"
-msgstr "واجهة المسؤول"
-
-#: journalist_templates/admin.html:6
-#: journalist_templates/admin_add_user.html:39
-msgid "ADD USER"
-msgstr "إضافة مستخدم"
-
-#: journalist_templates/admin.html:16
-#: journalist_templates/admin_add_user.html:14
-#: journalist_templates/login.html:8
-msgid "Username"
-msgstr "اسم المستخدم"
-
-#: journalist_templates/admin.html:17
-msgid "Edit"
-msgstr "تحرير"
-
-#: journalist_templates/admin.html:18 journalist_templates/index.html:15
-msgid "Delete"
-msgstr "حذف"
-
-#: journalist_templates/admin.html:19
-msgid "Created"
-msgstr "أُنُشِئْت"
-
-#: journalist_templates/admin.html:20
-msgid "Last login"
-msgstr "آخر تسجيل دخول"
-
-#: journalist_templates/admin.html:25
-msgid "Edit user {username}"
-msgstr "تحرير المستخدم {username}"
-
-#: journalist_templates/admin.html:26
-msgid "Delete user {username}"
-msgstr "حذف المستخدم {username}"
-
-#: journalist_templates/admin.html:31
-msgid "never"
-msgstr "أبدا"
-
-#: journalist_templates/admin.html:38
-msgid "No users to display"
-msgstr "ما من مستخدمين لعرضهم"
-
-#: journalist_templates/admin_add_user.html:4
-#: journalist_templates/edit_account.html:7
-msgid "Back to admin interface"
-msgstr "الرجوع إلى واجهة المسؤول"
-
-#: journalist_templates/admin_add_user.html:21
-msgid "The user's password will be:"
-msgstr "كلمة سر المستخدم:"
-
-#: journalist_templates/admin_add_user.html:24
-#: journalist_templates/edit_account.html:17
-msgid "Is Administrator"
-msgstr "تعيينه كمسئوول"
-
-#: journalist_templates/admin_add_user.html:32
-msgid "Is using a YubiKey [HOTP]"
-msgstr "يستخدم (تستخدم) [YubiKey [HOTP"
-
-#: journalist_templates/admin_new_user_two_factor.html:6
-msgid ""
-"You're almost done! To finish adding this new user, have them follow the "
-"instructions below to set up two-factor authentication with Google "
-"Authenticator. Once they've added an entry for this account in the app, have "
-"them enter one of the 6-digit codes from the app to confirm that two factor "
-"authentication is set up correctly."
-msgstr ""
-"أنت على وشك الانتهاء! لإتمام عملية إضافة المستخدم الجديد اطلب منهم إتباع "
-"التعليمات أدناه لتنصيب التحقق بخطوتين  بواسطة Google Authenticator. \n"
-" وبعد إضافة معلومات الحساب في التطبيق اطلب منهم إدخال إحدى الرموز المكونة من "
-"6 أرقام للتأكد من سلامة الإعداد."
-
-#: journalist_templates/base.html:24
-msgid "Logged on as"
-msgstr "مُسجل بإسم"
-
-#: journalist_templates/base.html:26
-msgid "Admin"
-msgstr "مسؤول"
-
-#: journalist_templates/base.html:28
-msgid "Log Out"
-msgstr "تسجيل الخروج"
-
-#: journalist_templates/base.html:40
-msgid ""
-"Powered by <br> <img src=\"/static/i/securedrop_small.png\" alt=\"SecureDrop"
-"\">"
-msgstr ""
-"مدعم بواسطة <br> <img src=\"/static/i/securedrop_small.png\" alt=\""
-"SecureDrop\">"
-
-#: journalist_templates/base.html:54
-msgid "Powered by <em>SecureDrop {version}</em>."
-msgstr "مدعم بواسطة <em>SecureDrop {version} </em>."
-
-#: journalist_templates/col.html:10
-msgid "All Sources"
-msgstr "جميع المصادر"
-
-#: journalist_templates/col.html:13
-msgid ""
-"Generate a new random codename for this source. We recommend doing this if "
-"the first random codename is difficult to say or remember. You can generate "
-"new random codenames as many times as you like."
-msgstr ""
-"قم بإنشاء اسم رمزي عشوائي جديد لهذا المصدر. ننصح بهذا في حالة صعوبة الاسم "
-"الحالي من ناحيةالنطق أو التذكر كما يمكنك إنشاء أسماء رمزية  جديدة بقدر ما "
-"تشاء."
-
-#: journalist_templates/col.html:13
-msgid "Change codename"
-msgstr "تغيير الاسم الرمزي"
-
-#: journalist_templates/col.html:14
-msgid "Are you sure you want to generate a new codename?"
-msgstr "هل أنت متأكد من إنشاء اسم رمزي جديد؟"
-
-#: journalist_templates/col.html:15 source_templates/lookup.html:72
-msgid "Cancel"
-msgstr "إلغاء"
-
-#: journalist_templates/col.html:16
-msgid "CONFIRM"
-msgstr "تأكيد"
-
-#: journalist_templates/col.html:22
-msgid ""
-"The documents are stored encrypted for security. To read them, you will need "
-"to decrypt them using GPG."
-msgstr ""
-"تم حفظ المستندات و تعميتها لدواعي الحماية. سوف تحتاج إلى تظهيرها (ردها إلى "
-"صيغتها الأصلية) بواسطة GPG لقراءة المحتوى."
-
-#: journalist_templates/col.html:26
-msgid "Download Selected"
-msgstr "تنزيل المختار"
-
-#: journalist_templates/col.html:27
-msgid "Delete Selected"
-msgstr "حذف المختار"
-
-#: journalist_templates/col.html:55
-msgid "Uploaded Document"
-msgstr "تم تحميل المستند"
-
-#: journalist_templates/col.html:57 journalist_templates/col.html:75
-msgid "Reply"
-msgstr "رَدّ"
-
-#: journalist_templates/col.html:59
-msgid "Message"
-msgstr "رسالة"
-
-#: journalist_templates/col.html:70
-msgid "No documents to display."
-msgstr "ما من مستندات لعرضها."
-
-#: journalist_templates/col.html:77
-msgid ""
-"You can write a secure reply to the person who submitted these documents:"
-msgstr "يمكن إرسال رد على نحو آمن إلى الشخص الذي أرسل المستندات:"
-
-#: journalist_templates/col.html:86
-msgid "You've flagged this source for reply."
-msgstr "قمت بوسم هذا المصدر للرد عليه."
-
-#: journalist_templates/col.html:87
-msgid ""
-"An encryption key will be generated for the source the next time they log "
-"in, after which you will be able to reply to the source here."
-msgstr ""
-"فور تسجيل دخول المصدر المرة التالية سوف يتم إنشاء مفتاح تعمية خاص به. وسوف "
-"تتمكن من الرد على المصدر هنا بعد تلك الخطوة."
-
-#: journalist_templates/col.html:89
-msgid "Click below if you would like to write a reply to this source."
-msgstr "انقر أدناه للرد على المصدر."
-
-#: journalist_templates/col.html:93
-msgid "FLAG THIS SOURCE FOR REPLY"
-msgstr "وسّم المصدر للرد عليه"
-
-#: journalist_templates/col.html:98
-msgid ""
-"Click below to delete this source's collection. <em>Warning: If you do this, "
-"the files seen here will be unrecoverable and the source will no longer be "
-"able to login using their previous codename.</em>"
-msgstr ""
-"انقر أدناه لحذف المجموعة الهاصة بهذا المصدر. <em> تحذير: بعد إجراء الحذف لا "
-"يمكن استرداد الملفات، ولن يتمكن المصدر من تسجيل الدخول باستخدام الاسم الرمزي "
-"السابق.</em>"
-
-#: journalist_templates/col.html:104
-msgid "DELETE COLLECTION"
-msgstr "حذف المجموعة"
-
-#: journalist_templates/delete.html:5
-msgid ""
-"The following file has been selected for <strong>permanent deletion</strong>:"
-msgid_plural ""
-"The following {files} files have been selected for <strong>permanent "
-"deletion</strong>:"
-msgstr[0] "لم يتم اختيار أي ملف<strong> لحذفه بشكل نهائي</strong>:"
-msgstr[1] "تم تحديد الملف  {files}التالي ل<strong>حذفه بشكل نهائي</strong>:"
-msgstr[2] ""
-"تم تحديد الملفين التاليين {files}  ل<strong>لحذفهما بشكل نهائي</strong>:"
-msgstr[3] "تم تحديد  بعض الملفات {files}  ل<strong>حذفها بشكل نهائي</strong>:"
-msgstr[4] ""
-"تم تحديد  العديد من الملفات {files}  ل<strong>حذفها بشكل نهائي</strong>:"
-msgstr[5] ""
-"تم تحديد {files} الملفات التالية ل<strong>حذفها بشكل نهائي</strong>:"
-
-#: journalist_templates/delete.html:20
-msgid "PERMANENTLY DELETE FILES"
-msgstr "حذف الملفات بشكل دائم"
-
-#: journalist_templates/delete.html:23
-msgid "Return to the list of documents for {source_name}…"
-msgstr "العودة إلى قائمة المستندات الخاصة بـ {source_name}…"
-
-#: journalist_templates/edit_account.html:6
-msgid "Edit user \"{user}\""
-msgstr "تعديل المستخدم \"{user}\""
-
-#: journalist_templates/edit_account.html:8
-msgid "Change Username &amp; Admin Status"
-msgstr "تغيير اسم المستخدم وحالة المسؤول"
-
-#: journalist_templates/edit_account.html:12
-msgid "Change username"
-msgstr "تغيير اسم المستخدم"
-
-#: journalist_templates/edit_account.html:19
-msgid "UPDATE"
-msgstr "تحديث"
-
-#: journalist_templates/edit_account.html:22
-msgid "Edit your account"
-msgstr "حرّر حسابك"
-
-#: journalist_templates/edit_account.html:25
-msgid "Reset Password"
-msgstr "إعادة ضبط كلمة السر"
-
-#: journalist_templates/edit_account.html:27
-msgid "SecureDrop now uses automatically generated diceware passwords."
-msgstr "يستخدم SecureDrop على نحو آلي طريقة دايسوير لتويد كلمات السر."
-
-#: journalist_templates/edit_account.html:28
-msgid ""
-"Your password will be changed immediately, so you will need to save it "
-"before pressing the \"Reset Password\" button."
-msgstr ""
-"سيتم تغيير كلمة السر فورا لذا عليك حفظها قبل الضغط على \"إعادة ضبط كلمة "
-"السر\"."
-
-#: journalist_templates/edit_account.html:34
-msgid "Please enter your current password and two-factor code."
-msgstr "رجاء كتابة كلمة السر الحالية ورمز التحقق بخطوتين."
-
-#: journalist_templates/edit_account.html:40
-msgid "Current Password"
-msgstr "كلمة السر الحالية"
-
-#: journalist_templates/edit_account.html:41 journalist_templates/login.html:10
-msgid "Two-factor Code"
-msgstr "رمز التحقق بخطوتين"
-
-#: journalist_templates/edit_account.html:46
-msgid "The user's password will be changed to:"
-msgstr "تغيير كلمة سر المستخدم  إلى:"
-
-#: journalist_templates/edit_account.html:48
-msgid "Your password will be changed to:"
-msgstr "كلمة السر الخاصة بك ستتغير إلى:"
-
-#: journalist_templates/edit_account.html:53
-msgid "RESET PASSWORD"
-msgstr "إعادة ضبط كلمة السر"
-
-#: journalist_templates/edit_account.html:58
-msgid "Reset Two-Factor Authentication"
-msgstr "إعادة ضبط خاصية التحقق بخطوتين"
-
-#: journalist_templates/edit_account.html:61
-msgid ""
-"If a user's two-factor authentication credentials have been lost or "
-"compromised, you can reset them here. <em>If you do this, make sure the user "
-"is present and ready to set up their device with the new two-factor "
-"credentials. Otherwise, they will be locked out of their account."
-msgstr ""
-"إذا فقد المستخدم البيانات الخاصة بالتحقق بخطوتين يمكن إعادة ضبطها من هنا. "
-"<em> في حالة القيام بذلك رجاء التأكد من وجود المستخدم والاستعداد لضبط خاصية "
-"التحقق بخطوتين الجديدة وإلا لن يمكن النفاذ إلى الحساب."
-
-#: journalist_templates/edit_account.html:63
-msgid ""
-"If your two-factor authentication credentials have been lost or compromised, "
-"or you got a new device, you can reset your credentials here. <em>If you do "
-"this, make sure you are ready to set up your new device, otherwise you will "
-"be locked out of your account.</em>"
-msgstr ""
-"إذا فقدت بياناتك الخاصة بالتحقق بخطوتين يمكن إعادة ضبطها من هنا. <em> في "
-"حالة القيام بذلك رجاء الاستعداد لضبط خاصية التحقق بخطوتين الجديدة وإلا لن "
-"تتمكن النفاذ إلى الحساب.<em>"
-
-#: journalist_templates/edit_account.html:65
-msgid ""
-"To reset two-factor authentication for mobile apps such as Google "
-"Authenticator or FreeOTP, choose the first option. For hardware tokens like "
-"the Yubikey, choose the second."
-msgstr ""
-"لإعادة ضبط التحقق بخطوتين مثل Google Authenticator أو FreeOTP على تطبيقات "
-"الهاتف المحمول،   اضغط على الخيار الاول. أما فيما يتعلّق بالتطبيقات الخاصة "
-"بالأجهزة أو ما يسمى بالعتاد الحاسوبي ك Yubikey،  فاضغط على الخيار الثاني."
-
-#: journalist_templates/edit_account.html:85
-msgid "RESET TWO-FACTOR AUTHENTICATION (APP)"
-msgstr "إعادة ضبط التحقق بخطوتين (تطبيق)"
-
-#: journalist_templates/edit_account.html:87
-msgid "RESET TWO-FACTOR AUTHENTICATION (HARDWARE TOKEN)"
-msgstr ""
-"إعادة ضبط التحقق بخطوتين ( برمجيات خاصة بالأجهزة الصلبة أو العتاد الحاسوبي)"
-
-#: journalist_templates/flag.html:5
-msgid "Thanks!"
-msgstr "شكرا!"
-
-#: journalist_templates/flag.html:8
-msgid ""
-"SecureDrop will generate a secure encryption key for this source the next "
-"time that they log in. Once the key has been generated, a reply box will "
-"appear under their collection of documents. You can use this box to write "
-"encrypted replies to them."
-msgstr ""
-"في المرة الثانية الني سيقوم المصدر فيها بتسجيل دخوله، سيولّد  SecureDrop، "
-"ويخلق مفتاح تشفير آمن لهذا المصدر. حالما يتم إنتاج المفتاح، سوف يظهر صندوق "
-"للرد تحت مجموعة المستندات الخاصة بهم. يمكنك استخدام  مربّع الحوار أو الصندوق "
-"الحوار هذا لكتابة ردود مشفرة لهم."
-
-#: journalist_templates/flag.html:10
-msgid "Continue to the list of documents for {codename}..."
-msgstr "تابع إلى قائمة المستندات ل{codename}..."
-
-#: journalist_templates/index.html:4
-msgid "Sources"
-msgstr "مصادر"
-
-#: journalist_templates/index.html:11
-msgid "Download Unread"
-msgstr "تنزيل لم تتم قراءته"
-
-#: journalist_templates/index.html:12
-msgid "Download"
-msgstr "تنزيل"
-
-#: journalist_templates/index.html:13
-msgid "Star"
-msgstr "وضع علامة النجمة"
-
-#: journalist_templates/index.html:14
-msgid "Un-star"
-msgstr "الغاء علامة النجمة"
-
-#: journalist_templates/index.html:42
-msgid "No documents have been submitted!"
-msgstr "لم يتم إرسال أية مستندات!"
-
-#: journalist_templates/js-strings.html:3
-msgid "filter by codename"
-msgstr "قم بالتصفية بحسب الاسم الرمزي"
-
-#: journalist_templates/js-strings.html:4
-msgid "Select All"
-msgstr "اختر الكل"
-
-#: journalist_templates/js-strings.html:5
-msgid "Select Unread"
-msgstr "اختر الرسائل الغير المقروءة"
-
-#: journalist_templates/js-strings.html:6
-msgid "Select None"
-msgstr "لا تختر اي شيء"
-
-#: journalist_templates/js-strings.html:7
-msgid "Are you sure you want to delete this collection?"
-msgstr "هل أنت متأكد من أنك تريد حذف هذه المجموعة؟"
-
-#: journalist_templates/js-strings.html:8
-msgid "Are you sure you want to delete the {size} selected collections?"
-msgstr "هل أنت متأكد من أنك تريد حذف {size} المجموعة المختارة؟"
-
-#: journalist_templates/js-strings.html:9
-msgid "Are you sure you want to delete the {size} selected submissions?"
-msgstr "هل أنت متأكد من أنك تريد حذف المرسلات المختارة و التي حجمها  {size} ؟"
-
-#: journalist_templates/js-strings.html:10
-msgid "Are you sure you want to delete the user {username}?"
-msgstr "هل أنت متأكد من أنك تريد حذف المستخدم {username}؟"
-
-#: journalist_templates/js-strings.html:11
-msgid ""
-"Are you sure you want to reset two-factor authentication for {username}?"
-msgstr "هل أنت متأكد من أنك تريد اعادة ضبط التحقق بخطوتين ل {username}؟"
-
-#: journalist_templates/login.html:4
-msgid "Login to access the journalist interface"
-msgstr "قم بتسجيل الدخول للوصول إلى واجهة الصحفي"
-
-#: journalist_templates/login.html:9
-msgid "Password"
-msgstr "كلمة السر"
-
-#: journalist_templates/login.html:12
-msgid "LOG IN"
-msgstr "تسجيل الدخول"
-
-#: source_app/__init__.py:73
-msgid ""
-"<strong>WARNING:</strong> You appear to be using Tor2Web. This <strong>does "
-"not</strong> provide anonymity. <a href=\"{url}\">Why is this dangerous?</a>"
-msgstr ""
-"<strong>تنبيه:</strong> يبدو أنك تستخدم Tor2Web. هذا <strong>لا</strong> "
-"يخفي هوية المستخدم. <a href=\"{url}\">  ما الخطر في ذلك؟</a>"
-
-#: source_app/forms.py:14
-msgid "Field must be between 1 and {max_codename_len} characters long."
-msgstr "يجب أن يتراوح طول الحقل بين حرف واحد  و {max_codename_len} حروف."
-
-#: source_app/forms.py:17
-msgid "Invalid input."
-msgstr "مدخل غير صالح."
-
-#: source_app/main.py:32
-msgid ""
-"You were redirected because you are already logged in. If you want to create "
-"a new account, you should log out first."
-msgstr ""
-"لقد تم تحويلك لأنك قمت بتسجيل الدخول من قبل. إذا كنت تريد انشاء حساب جديد، "
-"يجب عليك أولا أن تخرج من حسابك."
-
-#: source_app/main.py:111
-msgid "You must enter a message or choose a file to submit."
-msgstr "يجب عليك كتابة رسالة أو اختيار ملف لإرساله."
-
-#: source_app/main.py:144
-msgid "Thanks! We received your message."
-msgstr "شكرا! لقد استلمنا رسالتك."
-
-#: source_app/main.py:146
-msgid "Thanks! We received your document."
-msgstr "شكرا! لقد استلمنا مستندك."
-
-#: source_app/main.py:148
-msgid "Thanks! We received your message and document."
-msgstr "شكرا! لقد استلمنا مستندك ورسالتك."
-
-#: source_app/main.py:184
-msgid "Reply deleted"
-msgstr "تم حذف الرد"
-
-#: source_app/main.py:201
-msgid "All replies have been deleted"
-msgstr "تم حذف جميع الردود"
-
-#: source_app/main.py:215
-msgid "Sorry, that is not a recognized codename."
-msgstr "عذراً، هذا الاسم الرمزي غير معترف به."
-
-#: source_templates/base.html:6 source_templates/index.html:4
-msgid "Protecting Journalists and Sources"
-msgstr "حماية الصحفيين و المصادر"
-
-#: source_templates/base.html:24 source_templates/base.html:43
-#: source_templates/index.html:32 source_templates/index.html:84
-msgid "Powered by"
-msgstr "مشغل بواسطة"
-
-#: source_templates/base.html:33
-msgid "LOG OUT"
-msgstr "تسجيل الخروج"
-
-#: source_templates/base.html:43 source_templates/index.html:84
-msgid ""
-"Like all software, SecureDrop may contain security bugs. Use at your own "
-"risk."
-msgstr ""
-"كجميع البرمجيات، قد  تشوبSecureDrop على ثغرات أمنية. استخدمها تحت مسؤوليتك."
-
-#: source_templates/error.html:3
-msgid "Server error"
-msgstr "خطأ في الخادم"
-
-#: source_templates/error.html:5
-msgid ""
-"Sorry, the website encountered an error and was unable to complete your "
-"request."
-msgstr "نأسف، لقد واجه الموقع الإلكتروني خطأ ولم يتمكن من إكمال طلبك."
-
-#: source_templates/error.html:7 source_templates/notfound.html:7
-msgid "Look up a codename..."
-msgstr "ابحث عن اسم رمزي..."
-
-#: source_templates/first_submission_flashed_message.html:2
-msgid "Success!"
-msgstr "نجاح!"
-
-#: source_templates/first_submission_flashed_message.html:3
-msgid ""
-"Thank you for sending this information to us. Please check back later for "
-"replies."
-msgstr "شكرا لقيامك بإرسال هذه المعلومات لنا. الرجاء التحقق من ردنا لاحقا."
-
-#: source_templates/first_submission_flashed_message.html:5
-msgid "Forgot your codename?"
-msgstr "هل نسيت الاسم الرمزي الخاص بك؟"
-
-#: source_templates/generate.html:4
-msgid "Welcome"
-msgstr "أهلا بك"
-
-#: source_templates/generate.html:5
-msgid ""
-"This codename is what you will use in future visits to receive messages from "
-"our journalists in response to what you submit on the next screen."
-msgstr ""
-"اسم الرمز هذا ستستخدمه في الزيارات المقبلة لاستلام الرسائل من صحافيينا ردا "
-"على ما  أرسلته على الشاشة التالية."
-
-#: source_templates/generate.html:29
-msgid ""
-"Because we use none of the traditional means to track users of our "
-"<strong>SecureDrop</strong>\n"
-" service, using this codename with future visits is the  only way we have to "
-"communicate with you, should we have\n"
-" questions or are interested in additional documents. Unlike passwords, "
-"there is no way to retrieve a lost codename."
-msgstr ""
-"لأننا لا نستخدم أي من الوسائل التقليدية لتتبع مستخدمي "
-"<strong>SecureDrop</strong>،\n"
-" فاستخدام هذا الاسم في الزيارات المقبلة لهو الطريقة الوحيدة كي نتواصل معك في "
-"حال ساورتنا\n"
-" أي أسئلة أو في حال احتجنا إلى أي مستندات إضافيى.  بخلاف كلمات السر، فما "
-"منطريقة لاسترداد اسم رمزي مفقود."
-
-#: source_templates/generate.html:36
-msgid ""
-"Please either write this codename down and keep it in a safe place, or "
-"memorize it."
-msgstr ""
-"من فضلك، ما  سجّل هذا الإسم الرمز واحفظه في مكان آمن، أو احفظه عن ظهر قلب."
-
-#: source_templates/generate.html:44
-msgid "USE NEW CODENAME"
-msgstr "استخدم اسم رمزي جديد"
-
-#: source_templates/generate.html:46
-msgid "USE EXISTING CODENAME"
-msgstr "استخدم اسم رمز موجود"
-
-#: source_templates/index.html:17
-msgid ""
-"<strong>We recommend turning the Security Slider to High to protect your "
-"anonymity:</strong> <a id=\"disable-js\" href=\"\">Learn how to set it to "
-"high</a>, or ignore this warning to continue."
-msgstr ""
-"<strong>نوصي بوضع برفع مستوى وشريط الأمان إلى أعلى مستوى  لحماية مجهوليتك أو "
-"خصوصيتك: </strong> <a id=\"disable-js\" href=\"\">تعلم كيفية وضعه للأعلى</"
-"a>أو تجاهل هذا التحذير للمتابعة."
-
-#: source_templates/index.html:18
-msgid ""
-"<strong>We recommend using Tor Browser to access SecureDrop:</strong> <a id="
-"\"recommend-tor\" href=\"{tor_browser_url}\">Learn how to install it</a>, or "
-"ignore this warning to continue."
-msgstr ""
-"<strong>نحن نوصي بإستعمال Tor Browser للوصول لخدمة SecureDrop:</strong> <a id"
-"=\"recommend-tor\" href=\"{tor_browser_url}\">تعلم كيفية تنصيبه</a>، أو "
-"تجاهل هذا التحذير للمتابعة."
-
-#: source_templates/index.html:41
-msgid "Submit documents for the first time"
-msgstr "إرسال وثائق لأول مرة"
-
-#: source_templates/index.html:48
-msgid "Already submitted something?"
-msgstr "هل سبق و أرسلت شيئا؟"
-
-#: source_templates/index.html:54
-msgid ""
-"If this is your first time submitting documents to journalists, start here."
-msgstr "إذا كانت هذه هي المرة الأولى التي ترسل فيها وثائق لصحفيين، ابدأ هنا."
-
-#: source_templates/index.html:58
-msgid ""
-"If you have already submitted documents in the past, log in here to check "
-"for responses."
-msgstr ""
-"إذا كنت قد  سبق وأرسلت مستندات ، قم بتسجيل الدخول هنا  لمعرفة إذا وصلتك ردود."
-
-#: source_templates/index.html:65
-msgid "SUBMIT DOCUMENTS"
-msgstr "ارسال وثائق"
-
-#: source_templates/index.html:73
-msgid "CHECK FOR A RESPONSE"
-msgstr "تحقق من وصول رد"
-
-#: source_templates/index.html:92
-msgid ""
-"You appear to be using the Tor Browser. You can turn the Security Slider to "
-"High in 4 easy steps!"
-msgstr ""
-"يبدو أنك تستخدم متصفح تور Tor. يمكنك  رفع  سلّم الحماية  Security Slider شريط "
-"تمرير الحماية إلى الأعلى في 4 خطوات سهلة!"
-
-#: source_templates/index.html:94
-msgid ""
-"Click the <img src=\"{icon}\" alt=\"Tor icon\"> Tor icon in the toolbar above"
-msgstr ""
-"اضغط على <img src=\"{icon}\" alt=\"Tor icon\"> Tor ايقونة Tor في شريط "
-"الأدوات أعلاه"
-
-#: source_templates/index.html:95
-msgid "Click <strong>Security Settings...</strong>"
-msgstr "انقر على <strong>إعدادات الحماية...</strong>"
-
-#: source_templates/index.html:96
-msgid ""
-"Turn the Slider to <strong>High</strong>, then click <strong>Ok</strong>"
-msgstr ""
-"أدر شريط التمرير إلى <strong>عالي</strong>، ثم انقر على <strong>Ok</strong>"
-
-#: source_templates/index.html:97
-msgid "<a href=\"/\">Click here</a> to refresh the page"
-msgstr "<a href=\"/\">انقر هنا</a> لتحديث الصفحة"
-
-#: source_templates/login.html:6
-msgid "Enter Codename"
-msgstr "أدخل الاسم الرمزي"
-
-#: source_templates/login.html:12
-msgid "Enter your codename"
-msgstr "أدخل الاسم الرمزي الخاص بك"
-
-#: source_templates/login.html:25 source_templates/lookup.html:47
-msgid "CANCEL"
-msgstr "إلغاء"
-
-#: source_templates/logout_flashed_message.html:5
-#: source_templates/session_timeout.html:5
-msgid "Important!"
-msgstr "مهم!"
-
-#: source_templates/logout_flashed_message.html:6
-msgid ""
-"Thank you for exiting your session! Please select \"New Identity\" from the "
-"green onion button in the Tor browser to clear all history of your "
-"SecureDrop usage from this device."
-msgstr ""
-"شكرا لخروجك من الجلسة! الرجاء اختر \"هوية جديدة\" من خلال الزر الاخضر في "
-"متصفح تور لحذف سجل استخدام SecureDrop من الجهاز."
-
-#: source_templates/lookup.html:11
-msgid "Whew, it’s you! Now, the embarrassing part..."
-msgstr "يا للعجب، هذا أنت! والآن الجزء المربك..."
-
-#: source_templates/lookup.html:12
-msgid ""
-"Our servers experienced an unusual surge of new activity, when you last "
-"visited. This could have been human activity, an automated attack, or just "
-"some random blip. To err on the side of caution, we put a hold on sending "
-"all documents from that day through to our journalists."
-msgstr ""
-"شهدت خوادمنا موجة غير عادية من النشاط الجديد، عند زيارتك الأخيرة. يمكن أن "
-"يكون هذا نشاط بشري، هجوم آلي، أو مجرد علامة ضوئية.  من باب الحذر، فقد علّ"
-"قنا  منذ ذلك اليوم، عملية ارسال اي مستند إلى صحافينا."
-
-#: source_templates/lookup.html:14
-msgid ""
-"Now that we know you’re really a human, though, we’ll get your previous "
-"submission into the hands of a journalist straight away. We’re sorry for the "
-"delay. Please do check back again in a week or so."
-msgstr ""
-"الآن  وقد تاكدنا بأنك إنسان، سوف نوجّه فوراً رسالتك السابقة لصحفي على الفور. "
-"نأسف على التاخير. يرجى التحقق مرة أخرى في غضون أسبوع أو نحو ذلك."
-
-#: source_templates/lookup.html:20
-msgid "Submit Materials"
-msgstr "ارسال المواد أو المستندات"
-
-#: source_templates/lookup.html:21
-msgid ""
-"If you are already familiar with GPG, you can optionally encrypt your files "
-"and messages with our <a href=\"{url}\" class=\"text-link\">public key</a> "
-"before submission. Files are encrypted as they are received by SecureDrop."
-msgstr ""
-"إذا كنت على دراية بGPG، يمكنك إذا تشفير الملفات والرسائل الخاصة بك  بواسطة<a "
-"href=\"{url}\" class=\"text-link\">مفتاحنا العام</a> قبل ارسالها. يتم تشفير "
-"الملفات كما يتم استلامها من قبل سكوريدروب SecureDrop."
-
-#: source_templates/lookup.html:22
-msgid "<a href=\"{url}\" class=\"text-link\">Learn more</a>."
-msgstr "<a href=\"{url}\" class=\"text-link\"> لمعرفة المزيد</a>."
-
-#: source_templates/lookup.html:24
-msgid "You can send a file, a message, or both."
-msgstr "يمكنك ارسال ملف او رسالة او كلاهما."
-
-#: source_templates/lookup.html:33
-msgid "Maximum upload size: 500 MB"
-msgstr "الحد الأقصى للتحميل هو: 500 ميجابايت"
-
-#: source_templates/lookup.html:36
-msgid "Write a message."
-msgstr "اكتب رسالة."
-
-#: source_templates/lookup.html:53
-msgid "Read Replies"
-msgstr "ردود"
-
-#: source_templates/lookup.html:58
-msgid ""
-"You have received a reply. To protect your identity in the unlikely event "
-"someone learns your codename, please delete all replies when you're done "
-"with them. This also lets us know that you are aware of our reply. You can "
-"respond by submitting a new message above."
-msgstr ""
-"لقد استلمت ردا. لحماية هويتك في حالة قام  أحد باكتشاف  اسمك الرمزي،  من فضلك "
-"احذف جميع الردود عند الانتهاء منها. بهذا الشكل، سنعرف بدورنا، أنك على علم "
-"أننا قمنا بالاجابة عليك.يمكنك الرد من خلال توجيه رسالة أعلاه."
-
-#: source_templates/lookup.html:71
-msgid "Delete this reply?"
-msgstr "هل تود حذف هذا الرد؟"
-
-#: source_templates/lookup.html:73
-msgid "DELETE"
-msgstr "حذف"
-
-#: source_templates/lookup.html:82
-msgid "DELETE ALL REPLIES"
-msgstr "حذف جميع الردود"
-
-#: source_templates/lookup.html:85
-msgid "Are you finished with the replies?"
-msgstr "هل انتهيت من الاطلاع على الردود؟"
-
-#: source_templates/lookup.html:86
-msgid "YES, DELETE ALL REPLIES"
-msgstr "نعم، حذف جميع الردود"
-
-#: source_templates/lookup.html:87
-msgid "NO, NOT YET"
-msgstr "لا، ليس بعد"
-
-#: source_templates/lookup.html:91
-msgid "There are no replies at this time."
-msgstr "ما من رد في الوقت الراهن."
-
-#: source_templates/lookup.html:100
-msgid "Remember your codename is:"
-msgstr "تذكر أن اسمك الرمزي هو:"
-
-#: source_templates/lookup.html:101
-msgid "Show"
-msgstr "عرض"
-
-#: source_templates/lookup.html:103
-msgid "Hide"
-msgstr "اخفاء"
-
-#: source_templates/notfound.html:3
-msgid "Page not found"
-msgstr "الصفحة غير موجودة"
-
-#: source_templates/notfound.html:5
-msgid "Sorry, we couldn't locate what you requested."
-msgstr "نأسف، لم نتمكن من إيجاد ما طلبته."
-
-#: source_templates/session_timeout.html:6
-msgid ""
-"Your session timed out due to inactivity. Please login again if you want to "
-"continue using SecureDrop, or select \"New Identity\" from the green onion "
-"button in the Tor browser to clear all history of your SecureDrop usage from "
-"this device. If you are not using Tor Browser, restart your browser."
-msgstr ""
-"لقد تم تسجيل خروجك نظراً لعدم  تفاعلك!  من فضلك عاود تسجيل الدخول إن كنت تريد "
-"الاستتمرار في استخدام SecureDrop أو اختر \"هوية جديدة\" من خلال الزر الاخضر  "
-"على شكل البصلة في متصفح تور لحذف  جميع سجلات استخدام SecureDrop من الجهاز. "
-"أما إن لم تكن تستخدم متصفح ثور فمن فضلك أعد تشغيل متصفحك."
-
-#: source_templates/tor2web-warning.html:3
-msgid "Why is there a warning about Tor2Web?"
-msgstr "لماذا هناك تنبيه بخصوص Tor2Web؟"
-
-#: source_templates/tor2web-warning.html:4
-msgid ""
-"<a href=\"tor2web.org\">Tor2Web</a> is a proxy service that lets you browse "
-"Tor Hidden Services (.onion sites) without installing Tor. It was designed "
-"to facilitate anonymous publishing."
-msgstr ""
-"<a href=\"tor2web.org\">Tor2Web</a> هو خادم وكيل يجعلك تتصفح خدمات Tor "
-"الخفية (صفحات .onion) بدون تثبيت Tor. مصمممن أجل تسهيل النشر بشكل مجهول."
-
-#: source_templates/tor2web-warning.html:5
-msgid ""
-"Tor2Web only protects publishers, not readers. If you upload documents to us "
-"using Tor2Web, you are <strong>not anonymous</strong> and could be "
-"identified by your ISP or the Tor2Web proxy operators. Additionally, since "
-"Tor2Web sites typically do not use HTTPS, it is possible that your "
-"connection could be MITM'ed by a capable adversary."
-msgstr ""
-"شبكة Tor2Web تقوم بحماية الناشرين فقط ولكنها لا تحمي القرّاء. اذا قمت بتحميل "
-"المستندات باستخدام Tor2Web وأرسلتها لنا بواسطته، فانك <strong>مكشوف</strong> "
-"و يمكن تحديد هويتك من خلال  من يزودك الانترنت أو عن طريق    خادم وكيل ك "
-"Tor2Web . بالإضافة إلى ذلك و كما أن مواقع تور ويب Tor2Web  لا تعمل بنظام "
-"HTTPS، فانه من الممكن أن  ينم اعتراض اتصالك قد اعترض من قبل  خصم بارع."
-
-#: source_templates/tor2web-warning.html:6
-msgid ""
-"If you want to submit information, you are <strong>strongly advised</strong> "
-"to install <a href=\"torproject.org/download.html.en\">Tor</a> and use it to "
-"access our site safely and anonymously."
-msgstr ""
-"إذا كنت تريد إرسال المعلومات، فانه <strong> ينصح بشدة</strong> تنزيل <a href="
-"\"torproject.org/download.html.en\"> تور </a>واستخدامه للوصول الى موقعنا "
-"بأمان و  بخصوصية تامة أي من دون الكشف عن هويتك."
-
-#: source_templates/use-tor-browser.html:3
-msgid "You Should Use Tor Browser"
-msgstr "عليك استخدام متصفح تور Tor"
-
-#: source_templates/use-tor-browser.html:4
-msgid ""
-"If you are not using Tor Browser, you <strong>may not be anonymous</strong>."
-msgstr ""
-"اذا كنت لا تستخدم متصفح تور، فانه <strong>   قد تكون هويتك ونشاطك الرقمي "
-"مكشوفين</strong>."
-
-#: source_templates/use-tor-browser.html:5
-msgid ""
-"If you want to submit information to SecureDrop, we <strong>strongly advise "
-"you</strong> to install Tor Browser and use it to access our site safely and "
-"anonymously."
-msgstr ""
-"إذا رغبت بإرسال معلومات لسيكيور دروب SecureDrop، فاننا <strong>ننصحك "
-"بشدة</strong> أن تنزل متصفح تور و استخدامه للدخول الى موقعنا بأمان و \n"
-" بصورة مجهول ."
-
-#: source_templates/use-tor-browser.html:6
-msgid ""
-"Copy and paste the following address into your browser and follow the "
-"instructions to download and install Tor Browser:"
-msgstr ""
-"انسخ والصق هذا العنوان ugn  المتصفح الخاص بك واتبع التعليمات لتنزيل و تثبيت "
-"المتصفح تور Tor:"
-
-#: source_templates/why-journalist-key.html:3
-msgid "Why download the journalist's public key?"
-msgstr "لماذا  أحمّل المفتاح العمومي للصحفي؟"
-
-#: source_templates/why-journalist-key.html:4
-msgid ""
-"SecureDrop encrypts files and messages after they are submitted. Encrypting "
-"messages and files before submission can provide an extra layer of security "
-"before your data reaches the SecureDrop server."
-msgstr ""
-"SecureDropيعمّي الملفات و الرسائل بعد إرسالها. من شأن تعمية الرسائل والملفات "
-"قبل ارساله أن يرفع من مستوى الأمان قبل أن تصل بياناتك الى خادم SecureDrop."
-
-#: source_templates/why-journalist-key.html:5
-msgid ""
-"If you are already familiar with the GPG encryption software, you may wish "
-"to encrypt your submissions yourself. To do so:"
-msgstr ""
-"إذا كنت على دراية ببرمجية التشفير GPG ، فقد ترغب بتشفير  ملفاتك بنفسك. "
-"للقيام بذلك:"
-
-#: source_templates/why-journalist-key.html:7
-msgid ""
-"<a href=\"{url}\">Download</a> the public key. The public key is a text file "
-"with the extension <code>.asc</code>"
-msgstr ""
-"<a href=\"{url}\">قم بتنزيل</a>المفتاح العام. يعتبر المفتاح العام ملف نصي "
-"مزود بإضافة<code>.asc</code>"
-
-#: source_templates/why-journalist-key.html:8
-msgid "Import it into your GPG keyring."
-msgstr "قم بإستيراده ووضعه في حلقة مفاتيحك الGPG."
-
-#: source_templates/why-journalist-key.html:10
-msgid ""
-"If you are using <a href=\"{url}\">Tails</a>, you can double-click the "
-"<code>.asc</code> file you just downloaded and it will be automatically "
-"imported to your keyring."
-msgstr ""
-"اذا كنت تستخدم <a href=\"{url}\">Tails</a>، فانه يمكنك القيام بالنقر مرتين "
-"على<code>asc</code>الذي قمت بتنزيله و سيتم بادخاله تلقائيا الى كلمات المرور "
-"المحفوظة الخاصة بك."
-
-#: source_templates/why-journalist-key.html:11
-msgid ""
-"If you are using Mac/Linux, open the terminal. You can import the key with "
-"<code>gpg --import /path/to/key.asc</code>."
-msgstr ""
-"إذا كنت تستخدم Mac/Linux، قم بفتح الطرفية وبإستيراد المفتاح من خلال ا <code>"
-"gpg --import /path/to/key.asc</code>."
-
-#: source_templates/why-journalist-key.html:14
-msgid "Encrypt your submission."
-msgstr "قم بتعمية الرسائل الخاصة بك."
-
-#: source_templates/why-journalist-key.html:16
-msgid ""
-"You will need to be able to identify the key (this is called the \"user ID\" "
-"or UID). Since the public key's filename is the key's fingerprint (with .asc "
-"at the end), you can just copy and paste that. (don't include the <code>."
-"asc</code>!)"
-msgstr ""
-"يجب أن تكون قادر على تحديد المفتاح (المسمّى  ب\"هوية المستخدم\" أو رقم "
-"التعريف). نظرا لأن اسم ملف المفتاح العام هو بصمة المفتاح، يمكنك فقط نسخه و "
-"لصقه. (لا تنسخ أيضاً <code>إمتداد الملف</code>!)"
-
-#: source_templates/why-journalist-key.html:17
-msgid ""
-"On all systems, open the Terminal and use this gpg command: <code>gpg --"
-"recipient &lt;user ID&gt; --encrypt roswell_photos.pdf</code>"
-msgstr ""
-"في جميع الأنظمة، قم بفتح الطرفية وأستعمل أمر gpg التالي: <code>gpg --"
-"recipient &lt;user ID&gt; --encrypt roswell_photos.pdf</code>"
-
-#: source_templates/why-journalist-key.html:20
-msgid ""
-"Upload your encrypted submission. It will have the same filename as the "
-"unencrypted file, with .gpg at the end (e.g. <code>roswell_photos.pdf.gpg</"
-"code>)"
-msgstr ""
-"قم برفع الملفات المشفرة المراد تسليمها. سوف تحمل نفس أسم الملف الغير مشفر "
-"مع .gpg في نهاية الملف (مثال <code>roswell_photos.pdf.gpg</code>)"
-
-#: source_templates/why-journalist-key.html:23
-msgid ""
-"<strong>Tip:</strong> If you wish to remain anonymous, <strong>do not</"
-"strong> use GPG to sign the encrypted file (with the <code>--sign</code> or "
-"<code>-s</code> flag) as this will reveal your GPG identity to us."
-msgstr ""
-"<strong>نصيحة:</strong> إذا كنت ترغب في البقاء مجهول الهوية،<strong>do not</"
-"strong> إستعمل GPG للتوقيع على الملف المشفر (بواسطة <code>--sign</code> أو "
-"<code>-s</code>) إذ من شأن ذلك أن يكشف لنا هويتك ال GPG ."
-
-#: source_templates/why-journalist-key.html:25
-msgid "Back to submission page"
-msgstr "الرجوع الى صفحة الارسال"
-
-#~ msgid "messages {msg_num}"
-#~ msgstr "{msg_num} رسائل"

From 31ac7411bc876bf0b1c5b3d8c301372fbe96692c Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 4 Dec 2017 17:48:58 -0800
Subject: [PATCH 04/51] Fix tests after pulling out Arabic translations

---
 .travis.yml               | 3 +--
 docs/development/i18n.rst | 4 ++--
 securedrop/test           | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 690a19f330c..70769e4d9c3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -47,8 +47,7 @@ script:
   # are time consuming.
   # * en_US: source strings
   # * fr_FR: left-to-right translations
-  # * ar: right-to-left translations
-  - sh -c "export DISPLAY=:1 ; cd securedrop && PAGE_LAYOUT_LOCALES='en_US,ar,fr_FR' pytest -v tests --page-layout"
+  - sh -c "export DISPLAY=:1 ; cd securedrop && PAGE_LAYOUT_LOCALES='en_US,fr_FR' pytest -v tests --page-layout"
   - pip freeze -l
   - SECUREDROP_TESTINFRA_TARGET_HOST=travis testinfra -v testinfra/development/
 after_success:
diff --git a/docs/development/i18n.rst b/docs/development/i18n.rst
index a609c7b319a..1453fd7f14f 100644
--- a/docs/development/i18n.rst
+++ b/docs/development/i18n.rst
@@ -152,7 +152,7 @@ to the ``develop`` branch via pull requests for merge on a regular basis.
       $ git fetch lab
       $ git checkout -b wip-i18n origin/develop
       $ git checkout lab/i18n -- securedrop/translations \
-        install_files/ansible-base/roles/tails-config/templates/{ar,nl,fr,de_DE,nb_NO,pt_BR,es_ES}.po
+        install_files/ansible-base/roles/tails-config/templates/{nl,fr,de_DE,nb_NO,pt_BR,es_ES}.po
       $ git add translations
       $ vagrant ssh development
       $ cd /vagrant/securedrop ; ./manage.py --verbose translate-desktop --compile
@@ -165,7 +165,7 @@ Verify the translations are not broken:
 
       $ vagrant ssh development
       $ cd /vagrant/securedrop
-      $ PAGE_LAYOUT_LOCALES='ar,de_DE,es_ES,fr_FR,nb_NO,nl,pt_BR' \
+      $ PAGE_LAYOUT_LOCALES='de_DE,es_ES,fr_FR,nb_NO,nl,pt_BR' \
           pytest -v --page-layout tests/pages-layout
 
 Go to https://github.com/freedomofpress/securedrop and propose a pull request.
diff --git a/securedrop/test b/securedrop/test
index b15e71a57b2..38d984258a3 100755
--- a/securedrop/test
+++ b/securedrop/test
@@ -19,7 +19,7 @@ trap cleanup EXIT
 
 mkdir -p "/tmp/test-results/logs"
 
-export PAGE_LAYOUT_LOCALES="en_US,ar,fr_FR"
+export PAGE_LAYOUT_LOCALES="en_US,fr_FR"
 pytest \
   --page-layout \
   --durations 10 \

From 3906f5e45788174bd716b21635cf8dd0588c7f5d Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 4 Dec 2017 22:03:31 -0800
Subject: [PATCH 05/51] Tests: Remove 'ar' from test_render_locales

Revert when Arabic is merged
---
 securedrop/tests/test_journalist.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/securedrop/tests/test_journalist.py b/securedrop/tests/test_journalist.py
index 330cb5636dc..5355766fd2d 100644
--- a/securedrop/tests/test_journalist.py
+++ b/securedrop/tests/test_journalist.py
@@ -1198,7 +1198,7 @@ def test_render_locales(self):
         try:
             if supported:
                 del config.SUPPORTED_LOCALES
-            config.SUPPORTED_LOCALES = ['en_US', 'fr_FR', 'ar']
+            config.SUPPORTED_LOCALES = ['en_US', 'fr_FR']
 
             source, _ = utils.db_helper.init_source()
             self._login_user()

From e4fded239f8b7358fc20db57f299a1c22ac5d249 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Tue, 5 Dec 2017 17:41:04 +0000
Subject: [PATCH 06/51] SecureDrop 0.5

---
 changelog.md                                  |  4 +--
 docs/conf.py                                  |  4 +--
 docs/set_up_admin_tails.rst                   |  4 +--
 .../ansible-base/group_vars/all/securedrop    |  2 +-
 .../securedrop-app-code/DEBIAN/control        |  2 +-
 .../doc/securedrop-app-code/changelog.Debian  | 34 ++-----------------
 .../securedrop-keyring/DEBIAN/control         |  2 +-
 .../securedrop-ossec-agent/DEBIAN/control     |  2 +-
 .../securedrop-ossec-server/DEBIAN/control    |  2 +-
 molecule/builder/tests/vars.yml               |  2 +-
 securedrop/version.py                         |  2 +-
 11 files changed, 15 insertions(+), 45 deletions(-)

diff --git a/changelog.md b/changelog.md
index 8a0f765d184..d7ccd23765d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,12 +1,12 @@
 # Changelog
 
-## 0.5-rc6
+## 0.5
 
 ### Web Applications
 
 * Internationalize both web applications (#2470, #2392, #2400, #2374, #2626,
   #2354, #2338, #2333, #2229, #2223).
-* Localize in Arabic, Dutch, French, German, Norwegian, Portuguese and Spanish.
+* Localize in Dutch, French, German, Norwegian, Portuguese and Spanish.
 * Add language picker to web applications (#2557).
 * Refactor both web applications using Flask Blueprints (#2294).
 * Add default 120 minute session timeout on both interfaces (#880, #2503).
diff --git a/docs/conf.py b/docs/conf.py
index 3a61b47f0ef..feb215da12a 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -59,9 +59,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.5-rc6'
+version = '0.5'
 # The full version, including alpha/beta/rc tags.
-release = '0.5-rc6'
+release = '0.5'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
index 38e11d3ed8f..4cd92f1a004 100644
--- a/docs/set_up_admin_tails.rst
+++ b/docs/set_up_admin_tails.rst
@@ -107,8 +107,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.5-rc6
-    git tag -v 0.5-rc6
+    git checkout 0.5
+    git tag -v 0.5
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 39b18ff5480..8bacd2117fa 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml host_vars/development.yml
-securedrop_app_code_version: "0.5-rc6"
+securedrop_app_code_version: "0.5"
 
 grsecurity: true
 install_local_packages: false
diff --git a/install_files/securedrop-app-code/DEBIAN/control b/install_files/securedrop-app-code/DEBIAN/control
index 3f63aa0ad88..7c4af226a76 100644
--- a/install_files/securedrop-app-code/DEBIAN/control
+++ b/install_files/securedrop-app-code/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-app-code
-Version: 0.5-rc6
+Version: 0.5
 Architecture: amd64
 Depends: python-pip,apparmor-utils,gnupg2,haveged,python,python-pip,secure-delete,sqlite,apache2-mpm-worker,libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring
 Description: Packages the SecureDrop application code pip dependencies and apparmor profiles. This package will put the apparmor profiles in enforce mode. This package does use pip to install the pip wheelhouse
diff --git a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
index 7a1fbb00106..13112c859a2 100644
--- a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
+++ b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
@@ -1,38 +1,8 @@
-securedrop-app-code (0.5-rc6) trusty; urgency=medium
+securedrop-app-code (0.5) trusty; urgency=medium
 
   * See changelog.md
 
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 04 Dec 2017 19:38:29 +0000
-
-securedrop-app-code (0.5-rc5) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Sun, 03 Dec 2017 02:21:03 +0000
-
-securedrop-app-code (0.5-rc4) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Sat, 02 Dec 2017 07:19:35 +0000
-
-securedrop-app-code (0.5-rc3) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 01 Dec 2017 01:30:56 +0000
-
-securedrop-app-code (0.5-rc2) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 29 Nov 2017 19:59:52 +0000
-
-securedrop-app-code (0.5-rc1) trusty; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 29 Nov 2017 00:36:28 +0000
+ -- SecureDrop Team <securedrop@freedom.press>  Tue, 05 Dec 2017 17:39:00 +0000
 
 securedrop-app-code (0.4.4) trusty; urgency=medium
 
diff --git a/install_files/securedrop-keyring/DEBIAN/control b/install_files/securedrop-keyring/DEBIAN/control
index 98893817a8c..2bbce81dce5 100644
--- a/install_files/securedrop-keyring/DEBIAN/control
+++ b/install_files/securedrop-keyring/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.1+0.5-rc6
+Version: 0.1.1+0.5
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index c7f81875d7c..8087e07ccfa 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.5-rc6
+Version: 2.8.2+0.5
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring
 Replaces: ossec-agent
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index dce7ab154e2..d1e848427d6 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.5-rc6
+Version: 2.8.2+0.5
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring
 Replaces: ossec-server
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index 9d07ee2be92..2106fcfcc99 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -1,5 +1,5 @@
 ---
-securedrop_version: "0.5-rc6"
+securedrop_version: "0.5"
 ossec_version: "2.8.2"
 keyring_version: "0.1.1"
 
diff --git a/securedrop/version.py b/securedrop/version.py
index be4eec812e0..5a6f84c538c 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = '0.5-rc6'
+__version__ = '0.5'

From 9f5e80f3ffec0f5ef4916d3a78dc77d0a622496f Mon Sep 17 00:00:00 2001
From: Loic Dachary <loic@dachary.org>
Date: Fri, 19 Jan 2018 11:14:58 +0100
Subject: [PATCH 07/51] i18n: add new languages securedrop-confiure.yml

Add ar, it_IT, tr, zh_Hant to the YAML prompt used by
securedrop-admin sdconfig

(cherry picked from commit 1c7002e0729ec5ade15d88d8126703da1f45df3f)
---
 install_files/ansible-base/securedrop-configure.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install_files/ansible-base/securedrop-configure.yml b/install_files/ansible-base/securedrop-configure.yml
index d9b09e446ce..8d3bd5fe2f7 100644
--- a/install_files/ansible-base/securedrop-configure.yml
+++ b/install_files/ansible-base/securedrop-configure.yml
@@ -103,7 +103,7 @@
 
     - name: securedrop_supported_locales
       # the list is from the securedrop/translations repository
-      prompt: Space separated list of additional locales to support (de_DE en_US es_ES fr_FR nb_NO nl)
+      prompt: Space separated list of additional locales to support (ar de_DE en_US es_ES fr_FR it_IT nb_NO nl tr zh_Hant)
       default: ""
       private: no
 

From 84f55d195ad67e7c4a9c81300907f672281c4dd3 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Fri, 19 Jan 2018 12:07:53 -0800
Subject: [PATCH 08/51] Replace aging PyCrypto library with PyCryptodome

(cherry picked from commit 81f4c90530d53f21e5dd6a69f239f3f5bac36d93)
---
 securedrop/crypto_util.py                                 | 2 +-
 .../requirements/securedrop-app-code-requirements.in      | 2 +-
 .../requirements/securedrop-app-code-requirements.txt     | 8 ++++----
 securedrop/secure_tempfile.py                             | 6 +++---
 securedrop/tests/functional/functional_test.py            | 2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/securedrop/crypto_util.py b/securedrop/crypto_util.py
index 2f9610746fc..5b144bfdf50 100644
--- a/securedrop/crypto_util.py
+++ b/securedrop/crypto_util.py
@@ -5,7 +5,7 @@
 import os
 import subprocess
 
-from Crypto.Random import random
+from Cryptodome.Random import random
 import gnupg
 from gnupg._util import _is_stream, _make_binary_stream
 import scrypt
diff --git a/securedrop/requirements/securedrop-app-code-requirements.in b/securedrop/requirements/securedrop-app-code-requirements.in
index 63a8f3c4ba6..5ce06644d54 100644
--- a/securedrop/requirements/securedrop-app-code-requirements.in
+++ b/securedrop/requirements/securedrop-app-code-requirements.in
@@ -7,7 +7,7 @@ gnupg
 Jinja2
 jsmin
 psutil
-pycrypto
+pycryptodomex
 pyotp
 qrcode
 redis
diff --git a/securedrop/requirements/securedrop-app-code-requirements.txt b/securedrop/requirements/securedrop-app-code-requirements.txt
index 29b9b5e8e6f..faf00eb4f33 100644
--- a/securedrop/requirements/securedrop-app-code-requirements.txt
+++ b/securedrop/requirements/securedrop-app-code-requirements.txt
@@ -10,14 +10,14 @@ cssmin==0.2.0
 flask-assets==0.12
 flask-babel==0.11.2
 flask-wtf==0.14.2
-flask==0.12.2             # via flask-assets, flask-babel, flask-wtf
+flask==0.12.2
 gnupg==2.3.1
 itsdangerous==0.24        # via flask
-jinja2==2.10              # via flask, flask-babel
+jinja2==2.10
 jsmin==2.2.2
 markupsafe==1.0           # via jinja2
 psutil==5.4.3
-pycrypto==2.6.1
+pycryptodomex==3.4.7
 pyotp==2.2.6
 pytz==2017.3              # via babel
 qrcode==5.3
@@ -27,5 +27,5 @@ scrypt==0.8.0
 six==1.11.0               # via qrcode
 sqlalchemy==1.2.0
 webassets==0.12.1         # via flask-assets
-werkzeug==0.12.2          # via flask
+werkzeug==0.12.2
 wtforms==2.1              # via flask-wtf
diff --git a/securedrop/secure_tempfile.py b/securedrop/secure_tempfile.py
index 25f8b4377ec..88e568e8156 100644
--- a/securedrop/secure_tempfile.py
+++ b/securedrop/secure_tempfile.py
@@ -4,9 +4,9 @@
 from tempfile import _TemporaryFileWrapper
 
 from gnupg._util import _STREAMLIKE_TYPES
-from Crypto.Cipher import AES
-from Crypto.Random import random
-from Crypto.Util import Counter
+from Cryptodome.Cipher import AES
+from Cryptodome.Random import random
+from Cryptodome.Util import Counter
 
 
 class SecureTemporaryFile(_TemporaryFileWrapper, object):
diff --git a/securedrop/tests/functional/functional_test.py b/securedrop/tests/functional/functional_test.py
index 2c830362db4..5a8277f4a33 100644
--- a/securedrop/tests/functional/functional_test.py
+++ b/securedrop/tests/functional/functional_test.py
@@ -12,7 +12,7 @@
 import traceback
 import requests
 
-from Crypto import Random
+from Cryptodome import Random
 from selenium import webdriver
 from selenium.common.exceptions import (WebDriverException,
                                         NoAlertPresentException)

From 7e31b6063c3900a495fc79bec67c1b1aed82b23e Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Wed, 13 Dec 2017 13:23:51 -0500
Subject: [PATCH 09/51] Partial implementation of OSSEC iptables fix

WIP committed by @msheiny during collaboration. Branch adopted by
@conorsch for tackling #2478.

(cherry picked from commit 41d9ddf499d2eb00aef4e0943dc96280900e8acc)
---
 .../securedrop_application_server.yml         | 19 +++++-
 .../group_vars/securedrop_monitor_server.yml  | 19 +++++-
 .../roles/ossec-agent/defaults/main.yml       |  2 +
 .../roles/ossec-agent/tasks/agent_config.yml  | 68 ++++++++++---------
 .../roles/ossec-server/defaults/main.yml      |  2 +
 .../roles/ossec-server/tasks/authd.yml        | 10 ---
 6 files changed, 73 insertions(+), 47 deletions(-)

diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
index 3f37d0bcffc..4075b3c88a0 100644
--- a/install_files/ansible-base/group_vars/securedrop_application_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -21,6 +21,19 @@ tor_instances:
   - service: journalist
     filename: app-journalist-aths
 
-agent_auth_rules:
-  - "-A OUTPUT -d {{ monitor_ip  }} -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
-  - "-A INPUT -s {{ monitor_ip }} -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT"
+authd_iprules:
+  - chain: OUTPUT
+    dest: "{{ monitor_ip  }}"
+    proto: tcp
+    dest_port: 1515
+    match: state
+    cstate: "NEW,ESTABLISHED,RELATED"
+    jump: ACCEPT
+
+  - chain: INPUT
+    source: "{{ monitor_ip  }}"
+    proto: tcp
+    source_port: 1515
+    match: state
+    cstate: "ESTABLISHED,RELATED"
+    jump: ACCEPT
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index a323a2ddd0f..208f4485e61 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -17,6 +17,19 @@ tor_instances:
   - service: ssh
     filename: mon-ssh-aths
 
-authd_rules:
-  - "-A INPUT -s {{ app_hostname }} -p tcp --dport 1515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
-  - "-A OUTPUT -d {{ app_hostname }} -p tcp --sport 1515 -m state --state ESTABLISHED,RELATED -j ACCEPT"
+authd_iprules:
+  - chain: INPUT
+    dest: "{{ app_hostname  }}"
+    proto: tcp
+    dest_port: 1515
+    match: state
+    cstate: "NEW,ESTABLISHED,RELATED"
+    jump: ACCEPT
+
+  - chain: OUTPUT
+    source: "{{ app_hostname }}"
+    proto: tcp
+    source_port: 1515
+    match: state
+    cstate: "ESTABLISHED,RELATED"
+    jump: ACCEPT
diff --git a/install_files/ansible-base/roles/ossec-agent/defaults/main.yml b/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
index 65dd5c8e935..41bb85408ef 100644
--- a/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
+++ b/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
@@ -2,3 +2,5 @@
 # Override capability for installing locally built deb packages in the staging
 # environment. By default, packages are installed via the FPF apt repo.
 install_local_packages: False
+
+ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml b/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
index db34fb9af3b..6aae194b3cf 100644
--- a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
+++ b/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
@@ -7,32 +7,32 @@
   tags:
     - apt
 
-  # Check for the IPv4 rules file on disk. On the first run of this playbook,
-  # the file won't exist yet. Only add iptables rules if the file already exists.
-- name: Check whether iptables rules exist.
-  stat:
-    path: /etc/network/iptables/rules_v4
-  register: iptables_rules_check_result
-
-- name: Add firewall exemption for OSSEC agent registration.
-  lineinfile:
-    dest: /etc/network/iptables/rules_v4
-    # last line in the initial *filter stanza (which must come before any rules)
-    # rules will be applied before the default rules defined in rules_v4 file
-    insertafter: "^:LOGNDROP"
-    regexp: "{{ item }}"
-    line: "{{ item }}"
-  notify: reload iptables rules
-  with_items: "{{ agent_auth_rules }}"
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false and
-        iptables_rules_check_result.stat.exists == true
+- name: Add firewall exemption for OSSEC agent registration (both servers)
+  iptables:
+    chain: "{{ item[0].chain }}"
+    destination: "{{ item[0].dest|default(omit) }}"
+    destination_port: "{{ item[0].dest_port|default(omit) }}"
+    protocol: "{{ item[0].proto }}"
+    ctstate: "{{ item[0].cstate }}"
+    jump: "{{ item[0].jump }}"
+    match: "{{ item[0].match }}"
+    source: "{{ item[0].source|default(omit) }}"
+    source_port: "{{ item[0].source_port|default(omit) }}"
+    state: present
+  delegate_to: "{{ item[1] }}"
+  with_nested:
+    - "{{ authd_iprules }}"
+    - "{{ groups['all'] }}"
+  when: not ossec_agent_already_registered
   tags:
     - iptables
     - ossec_auth
 
+- debug: var="{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
+
 - name: Register OSSEC agent.
   command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false
+  when: not ossec_agent_already_registered
   tags:
     - ossec_auth
 
@@ -42,17 +42,23 @@
   # connect to the ossec server. The monitor server's OSSEC server needs to
   # restart after the agent connects to correctly display the agent status.
 - name: Remove firewall exemption for OSSEC agent registration.
-  lineinfile:
-    state: absent
-    dest: /etc/network/iptables/rules_v4
-    line: "{{ item }}"
-  register: removed_ossec_exemptions
-  notify:
-    - reload iptables rules
-    - restart ossec
-  with_items: "{{ agent_auth_rules }}"
-  when: hostvars[groups.securedrop_monitor_server.0].ossec_agent_already_registered == false and
-        iptables_rules_check_result.stat.exists == true
+  iptables:
+    chain: "{{ item[0].chain }}"
+    destination: "{{ item[0].dest|default(omit) }}"
+    destination_port: "{{ item[0].dest_port|default(omit) }}"
+    protocol: "{{ item[0].proto }}"
+    ctstate: "{{ item[0].cstate }}"
+    jump: "{{ item[0].jump }}"
+    match: "{{ item[0].match }}"
+    source: "{{ item[0].source|default(omit) }}"
+    source_port: "{{ item[0].source_port|default(omit) }}"
+    state: present
+  delegate_to: "{{ item[1] }}"
+  with_nested:
+    - "{{ authd_iprules }}"
+    - "{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
+  when: not ossec_agent_already_registered
+  notify: restart ossec
   tags:
     - iptables
     - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec-server/defaults/main.yml b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
index 02b8e6d7705..32ea889e635 100644
--- a/install_files/ansible-base/roles/ossec-server/defaults/main.yml
+++ b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
@@ -27,3 +27,5 @@ postfix_hostname: ossec.server
 # but unnecessary in staging contexts, where SASL authentication
 # will always fail, due to lack of site-specific credentials.
 ossec_server_enable_postfix: True
+
+ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/authd.yml b/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
index 2e9364ee273..fa2a6b6b4e0 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
+++ b/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
@@ -7,16 +7,6 @@
   tags:
     - ossec_auth
 
-  # Store a boolean host fact that states whether the Application Server
-  # is already registered with the Monitor Server. If it is, we can skip several tasks.
-  # To make the conditional templating simpler, we'll default to false for the fact value,
-  # and overwrite it with "true" only if the Application Server is actually registered.
-- name: Initialize host fact for OSSEC registration state.
-  set_fact:
-    ossec_agent_already_registered: false
-  tags:
-    - ossec_auth
-
 - name: Set host fact for OSSEC registration state.
   set_fact:
     ossec_agent_already_registered: true

From 4a871323ab9704e3a5ed1b5290ce41828168f61c Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 13 Dec 2017 11:25:10 -0800
Subject: [PATCH 10/51] Breaks out postfix config into discrete role

Previously we configured both postfix and procmail inside the
"ossec-server" role, which was essentially shoehorning the config. It's
appropriate to target the "securedrop_monitor_server" group with those
config items, but technically there's not literally OSSEC server, but
rather a separate service that deserves its own configuration logic.

Tidies up some of the vars. We've documented use of the
`ossec_from_address` publicly, so we can't simply drop reference to it.
Since the associated logic now resides in the "postfix" role, it should
be prefixed with the `postfix_` namespace. That's done, old values of
`ossec_from_address` set at the site level, if set, will be honored.

(cherry picked from commit 6aaf88a536633a3c8678b933197de01df0962f00)
---
 .../ansible-base/group_vars/staging.yml       |  2 +-
 .../roles/ossec-server/defaults/main.yml      | 23 ---------
 .../roles/ossec-server/handlers/main.yml      | 19 -------
 .../roles/ossec-server/tasks/main.yml         |  7 ---
 .../tasks/mon_configure_ossec_gpg_alerts.yml  | 50 -------------------
 .../roles/postfix/defaults/main.yml           | 23 +++++++++
 .../{ossec-server => postfix}/files/aliases   |  0
 .../files/header_checks                       |  0
 .../files/procmailrc                          |  0
 .../roles/postfix/handlers/main.yml           | 19 +++++++
 .../tasks/configure_custom_cert.yml}          |  0
 .../tasks/install_postfix.yml}                | 14 +++---
 .../roles/postfix/tasks/install_procmail.yml  | 40 +++++++++++++++
 .../ansible-base/roles/postfix/tasks/main.yml |  9 ++++
 .../templates/main.cf                         |  2 +-
 .../templates/sasl_passwd                     |  0
 16 files changed, 100 insertions(+), 108 deletions(-)
 create mode 100644 install_files/ansible-base/roles/postfix/defaults/main.yml
 rename install_files/ansible-base/roles/{ossec-server => postfix}/files/aliases (100%)
 rename install_files/ansible-base/roles/{ossec-server => postfix}/files/header_checks (100%)
 rename install_files/ansible-base/roles/{ossec-server => postfix}/files/procmailrc (100%)
 create mode 100644 install_files/ansible-base/roles/postfix/handlers/main.yml
 rename install_files/ansible-base/roles/{ossec-server/tasks/mon_configure_custom_cert.yml => postfix/tasks/configure_custom_cert.yml} (100%)
 rename install_files/ansible-base/roles/{ossec-server/tasks/mon_install_postfix.yml => postfix/tasks/install_postfix.yml} (76%)
 create mode 100644 install_files/ansible-base/roles/postfix/tasks/install_procmail.yml
 create mode 100644 install_files/ansible-base/roles/postfix/tasks/main.yml
 rename install_files/ansible-base/roles/{ossec-server => postfix}/templates/main.cf (98%)
 rename install_files/ansible-base/roles/{ossec-server => postfix}/templates/sasl_passwd (100%)

diff --git a/install_files/ansible-base/group_vars/staging.yml b/install_files/ansible-base/group_vars/staging.yml
index 33c756b09fc..4a4c0c4fa24 100644
--- a/install_files/ansible-base/group_vars/staging.yml
+++ b/install_files/ansible-base/group_vars/staging.yml
@@ -42,7 +42,7 @@ sasl_password: "password123"
 
 # Disable Postfix in staging, so we don't hammer Google mail relays
 # with known-bad credentials.
-ossec_server_enable_postfix: no
+postfix_enable_service: no
 
 # Permit direct access for SSH in the staging environment.
 # Otherwise, all SSH connections would be forced over Tor.
diff --git a/install_files/ansible-base/roles/ossec-server/defaults/main.yml b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
index 32ea889e635..0cb925a759f 100644
--- a/install_files/ansible-base/roles/ossec-server/defaults/main.yml
+++ b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
@@ -1,31 +1,8 @@
 ---
-smtp_relay_cert_dir: /etc/ssl/certs
-smtp_relay_cert_override_dir: '/etc/ssl/certs_local'
-smtp_relay_cert_override_file: ''
-
-# Email address listed in the FROM line when sending OSSEc email alerts.
-# Some mail servers require that this match the account that authenticated
-# to send mail.
-ossec_from_address: ''
-
 # Override capability for installing locally built deb packages in the staging
 # environment. By default, packages are installed via the FPF apt repo.
 install_local_packages: False
 
 ossec_group: ossec
 
-# Apt dependencies for the ossec server package
-ossec_postfix_dependencies:
-  - procmail
-  - postfix
-  - mailutils
-
-# Configuration info for procmail and postfix
-postfix_hostname: ossec.server
-
-# Whether to enable Postfix for sending mail. Required in prod,
-# but unnecessary in staging contexts, where SASL authentication
-# will always fail, due to lack of site-specific credentials.
-ossec_server_enable_postfix: True
-
 ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-server/handlers/main.yml b/install_files/ansible-base/roles/ossec-server/handlers/main.yml
index 12776d5a6fb..75286603920 100644
--- a/install_files/ansible-base/roles/ossec-server/handlers/main.yml
+++ b/install_files/ansible-base/roles/ossec-server/handlers/main.yml
@@ -12,25 +12,6 @@
 - name: reload authd iptables
   shell: iptables-restore < /etc/network/iptables/rules_v4
 
-- name: update aliases
-  command: postalias /etc/aliases
-
-- name: update sasl_passwd db
-  command: postmap /etc/postfix/sasl_passwd
-
-- name: update generic_maps
-  command: postmap /etc/postfix/generic
-
-- name: postmap_header_checks
-  command: postmap /etc/postfix/header_checks
-
-- name: restart postfix
-  service:
-    name: postfix
-    state: restarted
-  # Don't bounce the service if set to disabled, e.g. in staging
-  when: ossec_server_enable_postfix
-
 - name: restart ossec-server
   service:
     name: ossec
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/main.yml b/install_files/ansible-base/roles/ossec-server/tasks/main.yml
index 338eb256e71..cdc6fa9fba2 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec-server/tasks/main.yml
@@ -3,12 +3,5 @@
   # error change these to lineinfile module to work with the exemptions
 - include: mon_configure_ossec_gpg_alerts.yml
 
-  # Configure SSL certificates for SMTP relay if manual
-  # overrides are declared. See default vars
-  # `smtp_relay_cert_override_file` and `smtp_relay_cert_override_dir`.
-- include: mon_configure_custom_cert.yml
-
-- include: mon_install_postfix.yml
-
 - include: authd.yml
   tags: authd
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml b/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
index dcb3fbb7e67..9b63830a878 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
+++ b/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
@@ -9,16 +9,6 @@
   tags:
     - apt
 
-- name: Install procmail.
-  apt:
-    name: procmail
-    state: latest
-    update_cache: yes
-    cache_valid_time: 3600
-  tags:
-    - apt
-    - procmail
-
 - name: Copy the OSSEC GPG public key for sending encrypted alerts.
   copy:
     src: "{{ ossec_alert_gpg_public_key }}"
@@ -47,43 +37,3 @@
   tags:
     - procmail
     - permissions
-
-  # This log file doesn't exist by default, so we need to create it. We don't
-  # want to clobber the contents if it already exists, however, thus the "force: no".
-  # The `copy` module will back off if the file already exists, which means permissions
-  # will be ignored if the file exists. A subsequent task will handle permissions.
-- name: Create procmail log file.
-  copy:
-    dest: /var/log/procmail.log
-    mode: "0660"
-    owner: ossec
-    group: root
-    content: ""
-    force: no
-  tags:
-    - procmail
-    - permissions
-    - logging
-
-  # The previous task is essentially a `touch` command, without the side-effect of reporting
-  # "changed" every time. In order to force correct ownership and permissions, we'll take a
-  # second pass at the log file and only report "changed" if updates were made.
-- name: Update permissions on procmail log file.
-  file:
-    path: /var/log/procmail.log
-    mode: "0660"
-    owner: ossec
-    group: root
-  tags:
-    - procmail
-    - permissions
-    - logging
-
-- name: Copy procmail config file.
-  copy:
-    src: procmailrc
-    dest: /var/ossec/.procmailrc
-    owner: root
-    group: ossec
-  tags:
-    - procmail
diff --git a/install_files/ansible-base/roles/postfix/defaults/main.yml b/install_files/ansible-base/roles/postfix/defaults/main.yml
new file mode 100644
index 00000000000..d190597b27a
--- /dev/null
+++ b/install_files/ansible-base/roles/postfix/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+# Email address listed in the FROM line when sending OSSEc email alerts.
+# Some mail servers require that this match the account that authenticated
+# to send mail. Using the `ossec_from_address` for backwards-compatibility.
+postfix_from_address: "{{ ossec_from_address|default('') }}"
+
+# Apt dependencies for the ossec server package
+postfix_dependencies:
+  - procmail
+  - postfix
+  - mailutils
+
+# Configuration info for procmail and postfix
+postfix_hostname: ossec.server
+
+# Whether to enable Postfix for sending mail. Required in prod,
+# but unnecessary in staging contexts, where SASL authentication
+# will always fail, due to lack of site-specific credentials.
+postfix_enable_service: True
+
+smtp_relay_cert_dir: /etc/ssl/certs
+smtp_relay_cert_override_dir: '/etc/ssl/certs_local'
+smtp_relay_cert_override_file: ''
diff --git a/install_files/ansible-base/roles/ossec-server/files/aliases b/install_files/ansible-base/roles/postfix/files/aliases
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/files/aliases
rename to install_files/ansible-base/roles/postfix/files/aliases
diff --git a/install_files/ansible-base/roles/ossec-server/files/header_checks b/install_files/ansible-base/roles/postfix/files/header_checks
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/files/header_checks
rename to install_files/ansible-base/roles/postfix/files/header_checks
diff --git a/install_files/ansible-base/roles/ossec-server/files/procmailrc b/install_files/ansible-base/roles/postfix/files/procmailrc
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/files/procmailrc
rename to install_files/ansible-base/roles/postfix/files/procmailrc
diff --git a/install_files/ansible-base/roles/postfix/handlers/main.yml b/install_files/ansible-base/roles/postfix/handlers/main.yml
new file mode 100644
index 00000000000..929b39e2b78
--- /dev/null
+++ b/install_files/ansible-base/roles/postfix/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: update aliases
+  command: postalias /etc/aliases
+
+- name: update sasl_passwd db
+  command: postmap /etc/postfix/sasl_passwd
+
+- name: update generic_maps
+  command: postmap /etc/postfix/generic
+
+- name: postmap_header_checks
+  command: postmap /etc/postfix/header_checks
+
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+  # Don't bounce the service if set to disabled, e.g. in staging
+  when: postfix_enable_service
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_custom_cert.yml b/install_files/ansible-base/roles/postfix/tasks/configure_custom_cert.yml
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/tasks/mon_configure_custom_cert.yml
rename to install_files/ansible-base/roles/postfix/tasks/configure_custom_cert.yml
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/mon_install_postfix.yml b/install_files/ansible-base/roles/postfix/tasks/install_postfix.yml
similarity index 76%
rename from install_files/ansible-base/roles/ossec-server/tasks/mon_install_postfix.yml
rename to install_files/ansible-base/roles/postfix/tasks/install_postfix.yml
index a2a88678f3d..53b9928476b 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/mon_install_postfix.yml
+++ b/install_files/ansible-base/roles/postfix/tasks/install_postfix.yml
@@ -1,9 +1,9 @@
 ---
-- name: Install postfix.
+- name: Install mailing utilities.
   apt:
     pkg: "{{ item }}"
-    state: latest
-  with_items: "{{ ossec_postfix_dependencies }}"
+    state: present
+  with_items: "{{ postfix_dependencies }}"
   tags:
     - apt
     - postfix
@@ -18,10 +18,10 @@
 
 - name: Create mapping for outbound address.
   copy:
-    content: "ossec@{{ postfix_hostname }} {{ ossec_from_address }}"
+    content: "ossec@{{ postfix_hostname }} {{ postfix_from_address }}"
     dest: /etc/postfix/generic
   notify: update generic_maps
-  when: ossec_from_address != ""
+  when: postfix_from_address != ""
   tags:
     - postfix
 
@@ -55,7 +55,7 @@
 - name: Configure Postfix service.
   service:
     name: postfix
-    state: "{{ 'started' if ossec_server_enable_postfix else 'stopped' }}"
-    enabled: "{{ ossec_server_enable_postfix }}"
+    state: "{{ 'started' if postfix_enable_service else 'stopped' }}"
+    enabled: "{{ postfix_enable_service }}"
 
 # TODO - name: configure postfix proxy
diff --git a/install_files/ansible-base/roles/postfix/tasks/install_procmail.yml b/install_files/ansible-base/roles/postfix/tasks/install_procmail.yml
new file mode 100644
index 00000000000..f4a9d457fe0
--- /dev/null
+++ b/install_files/ansible-base/roles/postfix/tasks/install_procmail.yml
@@ -0,0 +1,40 @@
+---
+  # This log file doesn't exist by default, so we need to create it. We don't
+  # want to clobber the contents if it already exists, however, thus the "force: no".
+  # The `copy` module will back off if the file already exists, which means permissions
+  # will be ignored if the file exists. A subsequent task will handle permissions.
+- name: Create procmail log file.
+  copy:
+    dest: /var/log/procmail.log
+    mode: "0660"
+    owner: ossec
+    group: root
+    content: ""
+    force: no
+  tags:
+    - procmail
+    - permissions
+    - logging
+
+  # The previous task is essentially a `touch` command, without the side-effect of reporting
+  # "changed" every time. In order to force correct ownership and permissions, we'll take a
+  # second pass at the log file and only report "changed" if updates were made.
+- name: Update permissions on procmail log file.
+  file:
+    path: /var/log/procmail.log
+    mode: "0660"
+    owner: ossec
+    group: root
+  tags:
+    - procmail
+    - permissions
+    - logging
+
+- name: Copy procmail config file.
+  copy:
+    src: procmailrc
+    dest: /var/ossec/.procmailrc
+    owner: root
+    group: ossec
+  tags:
+    - procmail
diff --git a/install_files/ansible-base/roles/postfix/tasks/main.yml b/install_files/ansible-base/roles/postfix/tasks/main.yml
new file mode 100644
index 00000000000..4a613aed9f0
--- /dev/null
+++ b/install_files/ansible-base/roles/postfix/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- include: install_postfix.yml
+
+- include: install_procmail.yml
+
+  # Configure SSL certificates for SMTP relay if manual
+  # overrides are declared. See default vars
+  # `smtp_relay_cert_override_file` and `smtp_relay_cert_override_dir`.
+- include: configure_custom_cert.yml
diff --git a/install_files/ansible-base/roles/ossec-server/templates/main.cf b/install_files/ansible-base/roles/postfix/templates/main.cf
similarity index 98%
rename from install_files/ansible-base/roles/ossec-server/templates/main.cf
rename to install_files/ansible-base/roles/postfix/templates/main.cf
index 3bfbe25d125..3751034a4f3 100644
--- a/install_files/ansible-base/roles/ossec-server/templates/main.cf
+++ b/install_files/ansible-base/roles/postfix/templates/main.cf
@@ -58,7 +58,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 maximal_queue_lifetime = 14d
-{% if ossec_from_address != "" %}
+{% if postfix_from_address != "" %}
 # Used to remap outbound from address in emails
 smtp_generic_maps = hash:/etc/postfix/generic
 {% endif %}
diff --git a/install_files/ansible-base/roles/ossec-server/templates/sasl_passwd b/install_files/ansible-base/roles/postfix/templates/sasl_passwd
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/templates/sasl_passwd
rename to install_files/ansible-base/roles/postfix/templates/sasl_passwd

From 05a58189e890dff69f87b96dee2fa0f8edd634df Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 13 Dec 2017 12:07:24 -0800
Subject: [PATCH 11/51] Ports OSSEC pubkey import to "become" pragma

The old logic was written back in the Ansible v1 days, and was never
pretty to look at. As of Ansible v2 we should prefer use of "become" and
"become_user", since the "sudo" calls have been deprecated.

Implements a portion of the conversion described in #2742.

(cherry picked from commit d1b0c31f560c69b68caf1c35d5484732d66f2eab)
---
 .../ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml b/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
index 9b63830a878..28342ec8bec 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
+++ b/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
@@ -19,9 +19,11 @@
 - name: Add the OSSEC GPG public key to the OSSEC manager keyring.
   # multiline format for command module, since this is a long command
   command: >
-    su -s /bin/bash -c 'gpg
+    gpg
     --homedir /var/ossec/.gnupg
-    --import /var/ossec/{{ ossec_alert_gpg_public_key }}' {{ ossec_group }}
+    --import /var/ossec/{{ ossec_alert_gpg_public_key }}
+  become: yes
+  become_user: "{{ ossec_group }}"
   register: add_ossec_gpg_key_result
   changed_when: "'imported: 1' in add_ossec_gpg_key_result.stderr"
   tags:

From d36c056f85141a65809f0dc3cd577e1c655f5bbd Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 13 Dec 2017 12:15:35 -0800
Subject: [PATCH 12/51] Creates "ossec-register" common workflow

In order to support cross-host variable delegation, we'll need the play
to target *both* the Application and Monitor servers. We can then
dynamically open ports on the firewall as necessary in order to support
registration.

Reuses @msheiny's `iptables` Ansible module implementation, which is
remarkably clean. Love the state=absent functionality.

Rather than use `delegate_to`, we target both hosts and use the boolean
vars `ossec_is_server` and `ossec_is_client` (both defaulting to False)
in order to determine which host the task should execute on. For some
tasks, we want both hosts to execute, thus the combined play target.

Uses a rather gnarly hostvars-based retrieval to map a registered var
result across both hosts, ensuring the same value is accessible to both
play hosts, to coordinate the firewall rule management. Left an in-line
comment to guide future maintainers.

Removes most tags because we can better handle tasks at the import task
level now, which was difficult to do before because the logic was so
spaghetti.

(cherry picked from commit 58b29c8af3f035c7416f4c126939342a3a26420e)
---
 .../securedrop_application_server.yml         |  3 +
 .../group_vars/securedrop_monitor_server.yml  |  3 +
 .../roles/ossec-agent/tasks/agent_config.yml  | 56 -----------
 .../roles/ossec-agent/tasks/cleanup_authd.yml | 39 --------
 .../roles/ossec-agent/tasks/main.yml          |  2 -
 .../roles/ossec-register/defaults/main.yml    |  6 ++
 .../roles/ossec-register/tasks/main.yml       | 98 +++++++++++++++++++
 .../roles/ossec-server/tasks/authd.yml        | 43 --------
 .../roles/ossec-server/tasks/main.yml         | 63 +++++++++++-
 .../tasks/mon_configure_ossec_gpg_alerts.yml  | 41 --------
 10 files changed, 168 insertions(+), 186 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/ossec-agent/tasks/cleanup_authd.yml
 create mode 100644 install_files/ansible-base/roles/ossec-register/defaults/main.yml
 create mode 100644 install_files/ansible-base/roles/ossec-register/tasks/main.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-server/tasks/authd.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml

diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
index 4075b3c88a0..0577bc2c362 100644
--- a/install_files/ansible-base/group_vars/securedrop_application_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -37,3 +37,6 @@ authd_iprules:
     match: state
     cstate: "ESTABLISHED,RELATED"
     jump: ACCEPT
+
+# Declare Application Server as OSSEC agent role.
+ossec_is_client: yes
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index 208f4485e61..140d4f44367 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -33,3 +33,6 @@ authd_iprules:
     match: state
     cstate: "ESTABLISHED,RELATED"
     jump: ACCEPT
+
+# Declare Monitor Server as OSSEC server role.
+ossec_is_server: yes
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml b/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
index 6aae194b3cf..32e8784b838 100644
--- a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
+++ b/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
@@ -6,59 +6,3 @@
   when: not install_local_packages
   tags:
     - apt
-
-- name: Add firewall exemption for OSSEC agent registration (both servers)
-  iptables:
-    chain: "{{ item[0].chain }}"
-    destination: "{{ item[0].dest|default(omit) }}"
-    destination_port: "{{ item[0].dest_port|default(omit) }}"
-    protocol: "{{ item[0].proto }}"
-    ctstate: "{{ item[0].cstate }}"
-    jump: "{{ item[0].jump }}"
-    match: "{{ item[0].match }}"
-    source: "{{ item[0].source|default(omit) }}"
-    source_port: "{{ item[0].source_port|default(omit) }}"
-    state: present
-  delegate_to: "{{ item[1] }}"
-  with_nested:
-    - "{{ authd_iprules }}"
-    - "{{ groups['all'] }}"
-  when: not ossec_agent_already_registered
-  tags:
-    - iptables
-    - ossec_auth
-
-- debug: var="{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
-
-- name: Register OSSEC agent.
-  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
-  when: not ossec_agent_already_registered
-  tags:
-    - ossec_auth
-
-  # If the OSSEC agent auth iptable rule exemptions are in place remove them and
-  # restart OSSEC. This order does matter. The app server's
-  # ossec agent needs to restart to load the imported cert from authd and
-  # connect to the ossec server. The monitor server's OSSEC server needs to
-  # restart after the agent connects to correctly display the agent status.
-- name: Remove firewall exemption for OSSEC agent registration.
-  iptables:
-    chain: "{{ item[0].chain }}"
-    destination: "{{ item[0].dest|default(omit) }}"
-    destination_port: "{{ item[0].dest_port|default(omit) }}"
-    protocol: "{{ item[0].proto }}"
-    ctstate: "{{ item[0].cstate }}"
-    jump: "{{ item[0].jump }}"
-    match: "{{ item[0].match }}"
-    source: "{{ item[0].source|default(omit) }}"
-    source_port: "{{ item[0].source_port|default(omit) }}"
-    state: present
-  delegate_to: "{{ item[1] }}"
-  with_nested:
-    - "{{ authd_iprules }}"
-    - "{{ groups['securedrop_monitor_server'] + groups['securedrop_application_server'] }}"
-  when: not ossec_agent_already_registered
-  notify: restart ossec
-  tags:
-    - iptables
-    - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/cleanup_authd.yml b/install_files/ansible-base/roles/ossec-agent/tasks/cleanup_authd.yml
deleted file mode 100644
index 3545a0da58f..00000000000
--- a/install_files/ansible-base/roles/ossec-agent/tasks/cleanup_authd.yml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-# Contact the OSSEC server and ensure that the authd process
-# is not running. Declaring these as tasks rather than handlers
-# to ensure that the the cleanup happens every time, in case
-# authd was somehow left running, e.g. if playbook was interrupted.
-
-- name: Check if authd process is running on Monitor Server.
-  command: pgrep ossec-authd
-  # pgrep returns 1 if no process is found, so ignore that error.
-  # This is essentially a read-only task, with the subsequent task
-  # potentially making changes
-  failed_when: false
-  changed_when: false
-  register: ossec_authd_running_check
-  delegate_to: "{{ groups.securedrop_monitor_server.0 }}"
-  tags:
-    - iptables
-    - ossec_auth
-    - authd
-
-- name: Kill authd process (if running) on Monitor Server.
-  # This should work using the pattern to grep for in the output of ps per
-  # http://docs.ansible.com/service_module.html
-  # Currently getting an error saying
-  # failed: [mon-staging] => {"failed": true}
-  #  msg: service not found: ossec-authd
-  # service: name=ossec-authd pattern=/var/ossec/bin/ossec-authd state=started
-  command: kill {{ item }}
-  # It's technically possible that pgrep will return more than one PID.
-  # Let's be careful and kill each process, even though in most cases there
-  # will be only one, if any.
-  with_items: "{{ ossec_authd_running_check.stdout_lines }}"
-  delegate_to: "{{ groups.securedrop_monitor_server.0 }}"
-  when: ossec_authd_running_check.rc == 0 and
-        ossec_authd_running_check.stdout != ""
-  tags:
-    - iptables
-    - ossec_auth
-    - authd
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/main.yml b/install_files/ansible-base/roles/ossec-agent/tasks/main.yml
index 67b761833aa..6d4e76177a5 100644
--- a/install_files/ansible-base/roles/ossec-agent/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec-agent/tasks/main.yml
@@ -1,4 +1,2 @@
 ---
 - include: agent_config.yml
-
-- include: cleanup_authd.yml
diff --git a/install_files/ansible-base/roles/ossec-register/defaults/main.yml b/install_files/ansible-base/roles/ossec-register/defaults/main.yml
new file mode 100644
index 00000000000..727d66630c9
--- /dev/null
+++ b/install_files/ansible-base/roles/ossec-register/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# By default, no roles are assigned. Via group_vars or otherwise,
+# identify which hosts should act as server or client. The role
+# will execute tasks conditionally based on the var values.
+ossec_is_server: False
+ossec_is_client: False
diff --git a/install_files/ansible-base/roles/ossec-register/tasks/main.yml b/install_files/ansible-base/roles/ossec-register/tasks/main.yml
new file mode 100644
index 00000000000..17924d11ab6
--- /dev/null
+++ b/install_files/ansible-base/roles/ossec-register/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+- name: Check whether Application Server is registered as OSSEC agent.
+  command: /var/ossec/bin/list_agents -a
+  register: ossec_list_agents_result
+  # Read-only task, so don't report changed
+  when: ossec_is_server
+  changed_when: false
+
+# Gnarly vars retrieval logic in this task. The "register" action above applies
+# only to the Monitor Server, so the Application Server won't be able to access
+# the value (and the play will fail as a result). So on both hosts, let's look up
+# the registered value by referencing the hostvars for the Monitor Server, then
+# copy the result to a more conveniently named fact on both hosts.
+- name: Set host fact for OSSEC registration state.
+  set_fact:
+    ossec_agent_already_registered: "{{ hostvars[groups.securedrop_monitor_server.0].ossec_list_agents_result.stdout == app_hostname +'-'+app_ip+' is available.' }}"
+  # No "delegate_to", so that *both* hosts are aware of registration stauts via set_fact.
+
+- name: Start authd.
+  shell: /var/ossec/bin/ossec-authd -i {{ app_ip }} -p 1515 >/dev/null 2>&1 &
+  async: 0
+  poll: 0
+  when:
+    - ossec_is_server
+    - not ossec_agent_already_registered
+  notify: restart ossec-server
+
+- name: Add firewall exemption for OSSEC agent registration (both servers)
+  iptables:
+    chain: "{{ item.chain }}"
+    destination: "{{ item.dest|default(omit) }}"
+    destination_port: "{{ item.dest_port|default(omit) }}"
+    protocol: "{{ item.proto }}"
+    ctstate: "{{ item.cstate }}"
+    jump: "{{ item.jump }}"
+    match: "{{ item.match }}"
+    source: "{{ item.source|default(omit) }}"
+    source_port: "{{ item.source_port|default(omit) }}"
+    state: present
+  # No "delegate_to", since servers will have different group_vars.
+  with_items: "{{ authd_iprules }}"
+  when: not ossec_agent_already_registered
+
+- name: Register OSSEC agent.
+  command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
+  when: not ossec_agent_already_registered
+
+# If the OSSEC agent auth iptable rule exemptions are in place remove them and
+# restart OSSEC. This order does matter. The app server's
+# ossec agent needs to restart to load the imported cert from authd and
+# connect to the ossec server. The monitor server's OSSEC server needs to
+# restart after the agent connects to correctly display the agent status.
+- name: Remove firewall exemption for OSSEC agent registration.
+  iptables:
+    chain: "{{ item.chain }}"
+    destination: "{{ item.dest|default(omit) }}"
+    destination_port: "{{ item.dest_port|default(omit) }}"
+    protocol: "{{ item.proto }}"
+    ctstate: "{{ item.cstate }}"
+    jump: "{{ item.jump }}"
+    match: "{{ item.match }}"
+    source: "{{ item.source|default(omit) }}"
+    source_port: "{{ item.source_port|default(omit) }}"
+    state: absent
+  with_items: "{{ authd_iprules }}"
+  # No conditional, to force state=absent in all cases.
+  notify: restart ossec
+
+# Contact the OSSEC server and ensure that the authd process
+# is not running. Declaring these as tasks rather than handlers
+# to ensure that the the cleanup happens every time, in case
+# authd was somehow left running, e.g. if playbook was interrupted.
+- name: Check if authd process is running on Monitor Server.
+  command: pgrep ossec-authd
+  # pgrep returns 1 if no process is found, so ignore that error.
+  # This is essentially a read-only task, with the subsequent task
+  # potentially making changes
+  failed_when: false
+  changed_when: false
+  register: ossec_authd_running_check
+  when: ossec_is_server
+
+- name: Kill authd process (if running) on Monitor Server.
+  # This should work using the pattern to grep for in the output of ps per
+  # http://docs.ansible.com/service_module.html
+  # Currently getting an error saying
+  # failed: [mon-staging] => {"failed": true}
+  #  msg: service not found: ossec-authd
+  # service: name=ossec-authd pattern=/var/ossec/bin/ossec-authd state=started
+  command: kill {{ item }}
+  # It's technically possible that pgrep will return more than one PID.
+  # Let's be careful and kill each process, even though in most cases there
+  # will be only one, if any.
+  with_items: "{{ ossec_authd_running_check.stdout_lines }}"
+  when:
+    - ossec_is_server
+    - ossec_authd_running_check.rc == 0
+    - ossec_authd_running_check.stdout != ""
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/authd.yml b/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
deleted file mode 100644
index fa2a6b6b4e0..00000000000
--- a/install_files/ansible-base/roles/ossec-server/tasks/authd.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-- name: Check whether Application Server is registered as OSSEC agent.
-  command: /var/ossec/bin/list_agents -a
-  register: ossec_list_agents_result
-  # Read-only task, so don't report changed
-  changed_when: false
-  tags:
-    - ossec_auth
-
-- name: Set host fact for OSSEC registration state.
-  set_fact:
-    ossec_agent_already_registered: true
-  when: ossec_list_agents_result.stdout == "{{ app_hostname }}-{{ app_ip }} is available."
-  tags:
-    - ossec_auth
-
-- name: Create OSSEC manager SSL key.
-  command: openssl genrsa -out /var/ossec/etc/sslmanager.key 4096
-  args:
-    creates: /var/ossec/etc/sslmanager.key
-  when: ossec_agent_already_registered == false
-  tags:
-    - ossec_auth
-
-- name: Create OSSEC manager SSL certificate.
-  command: >
-    openssl req -new -x509 -batch
-    -subj "/CA=AU/ST=Some-State/locality=city/O=Internet Widgits Pty Ltd/commonName=mon/organizationUnitName=section/emailAddress=admin@localhost"
-    -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
-  args:
-    creates: /var/ossec/etc/sslmanager.cert
-  when: ossec_agent_already_registered == false
-  tags:
-    - ossec_auth
-
-- name: Start authd.
-  shell: /var/ossec/bin/ossec-authd -i {{ app_ip }} -p 1515 >/dev/null 2>&1 &
-  async: 0
-  poll: 0
-  when: ossec_agent_already_registered == false
-  notify: restart ossec-server
-  tags:
-    - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/main.yml b/install_files/ansible-base/roles/ossec-server/tasks/main.yml
index cdc6fa9fba2..57e2c690b1d 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec-server/tasks/main.yml
@@ -1,7 +1,60 @@
 ---
-  # This needs to be run after seting the etc hosts or else will get a hostname
-  # error change these to lineinfile module to work with the exemptions
-- include: mon_configure_ossec_gpg_alerts.yml
+- name: Install OSSEC manager package.
+  apt:
+    name: securedrop-ossec-server
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  when: not install_local_packages
+  tags:
+    - apt
 
-- include: authd.yml
-  tags: authd
+- name: Copy the OSSEC GPG public key for sending encrypted alerts.
+  copy:
+    src: "{{ ossec_alert_gpg_public_key }}"
+    dest: /var/ossec
+  tags:
+    - gpg
+
+- name: Add the OSSEC GPG public key to the OSSEC manager keyring.
+  # multiline format for command module, since this is a long command
+  command: >
+    gpg
+    --homedir /var/ossec/.gnupg
+    --import /var/ossec/{{ ossec_alert_gpg_public_key }}
+  become: yes
+  become_user: "{{ ossec_group }}"
+  register: add_ossec_gpg_key_result
+  changed_when: "'imported: 1' in add_ossec_gpg_key_result.stderr"
+  tags:
+    - gpg
+
+- name: Copy script for sending GPG-encrypted OSSEC alerts.
+  template:
+    src: send_encrypted_alarm.sh
+    dest: /var/ossec/send_encrypted_alarm.sh
+    mode: "0550"
+    owner: root
+    group: ossec
+  tags:
+    - procmail
+    - permissions
+
+- name: Create OSSEC manager SSL key.
+  command: openssl genrsa -out /var/ossec/etc/sslmanager.key 4096
+  args:
+    creates: /var/ossec/etc/sslmanager.key
+  when: ossec_agent_already_registered == false
+  tags:
+    - ossec_auth
+
+- name: Create OSSEC manager SSL certificate.
+  command: >
+    openssl req -new -x509 -batch
+    -subj "/CA=AU/ST=Some-State/locality=city/O=Internet Widgits Pty Ltd/commonName=mon/organizationUnitName=section/emailAddress=admin@localhost"
+    -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
+  args:
+    creates: /var/ossec/etc/sslmanager.cert
+  when: ossec_agent_already_registered == false
+  tags:
+    - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml b/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
deleted file mode 100644
index 28342ec8bec..00000000000
--- a/install_files/ansible-base/roles/ossec-server/tasks/mon_configure_ossec_gpg_alerts.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-- name: Install OSSEC manager package.
-  apt:
-    name: securedrop-ossec-server
-    state: latest
-    update_cache: yes
-    cache_valid_time: 3600
-  when: not install_local_packages
-  tags:
-    - apt
-
-- name: Copy the OSSEC GPG public key for sending encrypted alerts.
-  copy:
-    src: "{{ ossec_alert_gpg_public_key }}"
-    dest: /var/ossec
-  tags:
-    - gpg
-
-- name: Add the OSSEC GPG public key to the OSSEC manager keyring.
-  # multiline format for command module, since this is a long command
-  command: >
-    gpg
-    --homedir /var/ossec/.gnupg
-    --import /var/ossec/{{ ossec_alert_gpg_public_key }}
-  become: yes
-  become_user: "{{ ossec_group }}"
-  register: add_ossec_gpg_key_result
-  changed_when: "'imported: 1' in add_ossec_gpg_key_result.stderr"
-  tags:
-    - gpg
-
-- name: Copy script for sending GPG-encrypted OSSEC alerts.
-  template:
-    src: send_encrypted_alarm.sh
-    dest: /var/ossec/send_encrypted_alarm.sh
-    mode: "0550"
-    owner: root
-    group: ossec
-  tags:
-    - procmail
-    - permissions

From 478a9a0c8866ae25a378c01d1368a35270dc371c Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 13 Dec 2017 15:49:33 -0800
Subject: [PATCH 13/51] Creates combined "ossec" role for both hosts

BEGINS combined ossec role
FIX: begins ossec common role
REMOVES duplicated default ossec vars files
PARITAL: ports ossec-agent tasks to common role
MOVES registration flow into common role
MOVES testing pubkeys for ossec server role
MOVES ossec-server config tasks into common role
MOVES send0encrypted-alarms tempalte
MOVES (and ports) handlers into ossec comon role
FIX MOVES ossec-server-config-tasks

There's a functional change sneakily hiding in here: we had a double
conditional on the SSL key creation tasks, when really we only want to
skip creation if the relevant files exist.

Prunes down the OSSEC-related handlers. We don't really need to fuss
over whether the OSSEC agent or server is restarted: if inter-machine
authentication changed, then we want to bounce *both* services.
Fortunately we can do so by restarting the "ossec" service on both
hosts, regardless of whether it's OSSEC server or client.

(cherry picked from commit c4a1178da8d4106fd0919c8b2204eeb350c71afd)
---
 .../roles/ossec-agent/defaults/main.yml       |   6 ------
 .../roles/ossec-agent/handlers/main.yml       |   8 --------
 .../roles/ossec-agent/tasks/main.yml          |   2 --
 .../roles/ossec-server/defaults/main.yml      |   8 --------
 .../roles/ossec-server/handlers/main.yml      |  18 ------------------
 .../defaults/main.yml                         |   6 ++++++
 .../files/test_admin_key.pub                  | Bin
 .../files/test_admin_key.sec                  | Bin
 .../roles/ossec/handlers/main.yml             |   6 ++++++
 .../tasks/configure_client.yml}               |   0
 .../tasks/configure_server.yml}               |   2 --
 .../ansible-base/roles/ossec/tasks/main.yml   |   8 ++++++++
 .../main.yml => ossec/tasks/register.yml}     |   7 ++++---
 .../templates/send_encrypted_alarm.sh         |   0
 14 files changed, 24 insertions(+), 47 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/ossec-agent/defaults/main.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-agent/handlers/main.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-agent/tasks/main.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-server/defaults/main.yml
 delete mode 100644 install_files/ansible-base/roles/ossec-server/handlers/main.yml
 rename install_files/ansible-base/roles/{ossec-register => ossec}/defaults/main.yml (54%)
 rename install_files/ansible-base/roles/{ossec-server => ossec}/files/test_admin_key.pub (100%)
 rename install_files/ansible-base/roles/{ossec-server => ossec}/files/test_admin_key.sec (100%)
 create mode 100644 install_files/ansible-base/roles/ossec/handlers/main.yml
 rename install_files/ansible-base/roles/{ossec-agent/tasks/agent_config.yml => ossec/tasks/configure_client.yml} (100%)
 rename install_files/ansible-base/roles/{ossec-server/tasks/main.yml => ossec/tasks/configure_server.yml} (94%)
 create mode 100644 install_files/ansible-base/roles/ossec/tasks/main.yml
 rename install_files/ansible-base/roles/{ossec-register/tasks/main.yml => ossec/tasks/register.yml} (98%)
 rename install_files/ansible-base/roles/{ossec-server => ossec}/templates/send_encrypted_alarm.sh (100%)

diff --git a/install_files/ansible-base/roles/ossec-agent/defaults/main.yml b/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
deleted file mode 100644
index 41bb85408ef..00000000000
--- a/install_files/ansible-base/roles/ossec-agent/defaults/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# Override capability for installing locally built deb packages in the staging
-# environment. By default, packages are installed via the FPF apt repo.
-install_local_packages: False
-
-ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-agent/handlers/main.yml b/install_files/ansible-base/roles/ossec-agent/handlers/main.yml
deleted file mode 100644
index 26fce7e9e14..00000000000
--- a/install_files/ansible-base/roles/ossec-agent/handlers/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: reload iptables rules
-  shell: iptables-restore < /etc/network/iptables/rules_v4
-
-- name: restart ossec
-  service:
-    name: ossec
-    state: restarted
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/main.yml b/install_files/ansible-base/roles/ossec-agent/tasks/main.yml
deleted file mode 100644
index 6d4e76177a5..00000000000
--- a/install_files/ansible-base/roles/ossec-agent/tasks/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-- include: agent_config.yml
diff --git a/install_files/ansible-base/roles/ossec-server/defaults/main.yml b/install_files/ansible-base/roles/ossec-server/defaults/main.yml
deleted file mode 100644
index 0cb925a759f..00000000000
--- a/install_files/ansible-base/roles/ossec-server/defaults/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-# Override capability for installing locally built deb packages in the staging
-# environment. By default, packages are installed via the FPF apt repo.
-install_local_packages: False
-
-ossec_group: ossec
-
-ossec_agent_already_registered: false
diff --git a/install_files/ansible-base/roles/ossec-server/handlers/main.yml b/install_files/ansible-base/roles/ossec-server/handlers/main.yml
deleted file mode 100644
index 75286603920..00000000000
--- a/install_files/ansible-base/roles/ossec-server/handlers/main.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- name: add firewall rule exemption for authd
-  lineinfile:
-    dest: /etc/network/iptables/rules_v4
-    # last line in the initial *filter stanza (which must come before any rules)
-    # rules will be applied before the default rules defined in rules_v4 file
-    insertafter: "^:LOGNDROP"
-    regexp: "{{ item }}"
-    line: "{{ item }}"
-  with_items: "{{ authd_rules }}"
-
-- name: reload authd iptables
-  shell: iptables-restore < /etc/network/iptables/rules_v4
-
-- name: restart ossec-server
-  service:
-    name: ossec
-    state: restarted
diff --git a/install_files/ansible-base/roles/ossec-register/defaults/main.yml b/install_files/ansible-base/roles/ossec/defaults/main.yml
similarity index 54%
rename from install_files/ansible-base/roles/ossec-register/defaults/main.yml
rename to install_files/ansible-base/roles/ossec/defaults/main.yml
index 727d66630c9..4395f9a537a 100644
--- a/install_files/ansible-base/roles/ossec-register/defaults/main.yml
+++ b/install_files/ansible-base/roles/ossec/defaults/main.yml
@@ -1,4 +1,10 @@
 ---
+# Override capability for installing locally built deb packages in the staging
+# environment. By default, packages are installed via the FPF apt repo.
+install_local_packages: False
+
+ossec_group: ossec
+
 # By default, no roles are assigned. Via group_vars or otherwise,
 # identify which hosts should act as server or client. The role
 # will execute tasks conditionally based on the var values.
diff --git a/install_files/ansible-base/roles/ossec-server/files/test_admin_key.pub b/install_files/ansible-base/roles/ossec/files/test_admin_key.pub
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/files/test_admin_key.pub
rename to install_files/ansible-base/roles/ossec/files/test_admin_key.pub
diff --git a/install_files/ansible-base/roles/ossec-server/files/test_admin_key.sec b/install_files/ansible-base/roles/ossec/files/test_admin_key.sec
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/files/test_admin_key.sec
rename to install_files/ansible-base/roles/ossec/files/test_admin_key.sec
diff --git a/install_files/ansible-base/roles/ossec/handlers/main.yml b/install_files/ansible-base/roles/ossec/handlers/main.yml
new file mode 100644
index 00000000000..f4310cf72dc
--- /dev/null
+++ b/install_files/ansible-base/roles/ossec/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# Single handler to operate on *both* OSSEC hosts, server & client.
+- name: restart ossec
+  service:
+    name: ossec
+    state: restarted
diff --git a/install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml b/install_files/ansible-base/roles/ossec/tasks/configure_client.yml
similarity index 100%
rename from install_files/ansible-base/roles/ossec-agent/tasks/agent_config.yml
rename to install_files/ansible-base/roles/ossec/tasks/configure_client.yml
diff --git a/install_files/ansible-base/roles/ossec-server/tasks/main.yml b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml
similarity index 94%
rename from install_files/ansible-base/roles/ossec-server/tasks/main.yml
rename to install_files/ansible-base/roles/ossec/tasks/configure_server.yml
index 57e2c690b1d..e2df707d275 100644
--- a/install_files/ansible-base/roles/ossec-server/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/configure_server.yml
@@ -44,7 +44,6 @@
   command: openssl genrsa -out /var/ossec/etc/sslmanager.key 4096
   args:
     creates: /var/ossec/etc/sslmanager.key
-  when: ossec_agent_already_registered == false
   tags:
     - ossec_auth
 
@@ -55,6 +54,5 @@
     -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
   args:
     creates: /var/ossec/etc/sslmanager.cert
-  when: ossec_agent_already_registered == false
   tags:
     - ossec_auth
diff --git a/install_files/ansible-base/roles/ossec/tasks/main.yml b/install_files/ansible-base/roles/ossec/tasks/main.yml
new file mode 100644
index 00000000000..271b2de169c
--- /dev/null
+++ b/install_files/ansible-base/roles/ossec/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- include: configure_client.yml
+  when: ossec_is_client
+
+- include: configure_server.yml
+  when: ossec_is_server
+
+- include: register.yml
diff --git a/install_files/ansible-base/roles/ossec-register/tasks/main.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
similarity index 98%
rename from install_files/ansible-base/roles/ossec-register/tasks/main.yml
rename to install_files/ansible-base/roles/ossec/tasks/register.yml
index 17924d11ab6..556ace9f2de 100644
--- a/install_files/ansible-base/roles/ossec-register/tasks/main.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -23,7 +23,6 @@
   when:
     - ossec_is_server
     - not ossec_agent_already_registered
-  notify: restart ossec-server
 
 - name: Add firewall exemption for OSSEC agent registration (both servers)
   iptables:
@@ -43,7 +42,10 @@
 
 - name: Register OSSEC agent.
   command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
-  when: not ossec_agent_already_registered
+  notify: restart ossec
+  when:
+    - ossec_is_client
+    - not ossec_agent_already_registered
 
 # If the OSSEC agent auth iptable rule exemptions are in place remove them and
 # restart OSSEC. This order does matter. The app server's
@@ -64,7 +66,6 @@
     state: absent
   with_items: "{{ authd_iprules }}"
   # No conditional, to force state=absent in all cases.
-  notify: restart ossec
 
 # Contact the OSSEC server and ensure that the authd process
 # is not running. Declaring these as tasks rather than handlers
diff --git a/install_files/ansible-base/roles/ossec-server/templates/send_encrypted_alarm.sh b/install_files/ansible-base/roles/ossec/templates/send_encrypted_alarm.sh
similarity index 100%
rename from install_files/ansible-base/roles/ossec-server/templates/send_encrypted_alarm.sh
rename to install_files/ansible-base/roles/ossec/templates/send_encrypted_alarm.sh

From 8690efe22bfdaa94e44a7500c5518b6db22ddedb Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 13 Dec 2017 12:29:27 -0800
Subject: [PATCH 14/51] Updates playbooks with new OSSEC role logic

We've consolidated the "ossec-agent" and "ossec-server" roles into
"ossec", and excised the postfix logic from the "ossec-server" role into
a discrete "postfix" role. Playbooks must have these updated
accordingly.

We're nearly at the point where we can standardize on a single playbook
for prod and staging. Onward!

(cherry picked from commit 77af2f22a8c3b1c2094504a74fc0eed00b3b99ab)
---
 install_files/ansible-base/securedrop-prod.yml    | 13 ++++++++++---
 install_files/ansible-base/securedrop-staging.yml | 13 ++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 842876515f8..7219ce64316 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -15,16 +15,23 @@
     - { role: tor-hidden-services, tags: tor }
   become: yes
 
-- name: Configure SecureDrop Monitor Server.
+- name: Configure mailing utilities.
   hosts: securedrop_monitor_server
   roles:
-    - { role: ossec-server, tags: [ ossec, ossec_server ] }
+    - role: postfix
+      tags: postfix
+  become: yes
+
+- name: Configure OSSEC.
+  hosts: securedrop
+  roles:
+    - role: ossec
+      tags: ossec
   become: yes
 
 - name: Configure SecureDrop Application Server.
   hosts: securedrop_application_server
   roles:
-    - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
   become: yes
 
diff --git a/install_files/ansible-base/securedrop-staging.yml b/install_files/ansible-base/securedrop-staging.yml
index af2b5847f49..405d7d27c95 100755
--- a/install_files/ansible-base/securedrop-staging.yml
+++ b/install_files/ansible-base/securedrop-staging.yml
@@ -31,16 +31,23 @@
         when: install_local_packages }
   become: yes
 
-- name: Configure OSSEC manager.
+- name: Configure mailing utilities.
   hosts: mon-staging
   roles:
-    - { role: ossec-server, tags: [ ossec, ossec_server ] }
+    - role: postfix
+      tags: postfix
+  become: yes
+
+- name: Configure OSSEC.
+  hosts: staging
+  roles:
+    - role: ossec
+      tags: ossec
   become: yes
 
 - name: Configure SecureDrop Application Server.
   hosts: app-staging
   roles:
-    - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
     - { role: app-test, tags: app-test }
   become: yes

From dc6c9632a9fc2206dd5be4f51f07eb7140f8cc88 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Thu, 14 Dec 2017 16:29:02 -0500
Subject: [PATCH 15/51] Add fix for iptables OSSEC monitor temporary rules

The previous iptables rules were swapped and caused the port to be
blocked during registration.

(cherry picked from commit 4c012fa8bb6c6186cb91fb2b00e9650655201e07)
---
 .../ansible-base/group_vars/securedrop_monitor_server.yml     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index 140d4f44367..1a289ca7a44 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -19,7 +19,7 @@ tor_instances:
 
 authd_iprules:
   - chain: INPUT
-    dest: "{{ app_hostname  }}"
+    source: "{{ app_hostname  }}"
     proto: tcp
     dest_port: 1515
     match: state
@@ -27,7 +27,7 @@ authd_iprules:
     jump: ACCEPT
 
   - chain: OUTPUT
-    source: "{{ app_hostname }}"
+    dest: "{{ app_hostname }}"
     proto: tcp
     source_port: 1515
     match: state

From d9d98ac73bdf3fb5e31c4c255935268dd79aabe4 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Thu, 14 Dec 2017 16:35:41 -0500
Subject: [PATCH 16/51] Add temporary iptables to the top of the chain

Without this explicitly set, ansible will append the iptables to the
bottom of the chain. Since we have some explicit DROP lines at the
bottom of the INPUT chain, this means that the exception gets added
AFTER a DROP line. Meaning... that the line basically never got
evaluated.

This commit resolves that issue by always inserting at the top of the
chain (both INPUT and OUTPUT). There is a following clean-up task that
will remove this afterwards as usual.

(cherry picked from commit 345aea49ee351e15123594409cebb5ec3c8a04b0)
---
 install_files/ansible-base/roles/ossec/tasks/register.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index 556ace9f2de..f69f46989f8 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -26,6 +26,7 @@
 
 - name: Add firewall exemption for OSSEC agent registration (both servers)
   iptables:
+    action: insert
     chain: "{{ item.chain }}"
     destination: "{{ item.dest|default(omit) }}"
     destination_port: "{{ item.dest_port|default(omit) }}"

From b594833cd1a1d2a71ac504299648cfe6f3e6d130 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Mon, 8 Jan 2018 16:17:52 -0800
Subject: [PATCH 17/51] Configure Postfix after OSSEC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Postfix logic assumes that the "ossec" user and group will exist,
and sets logfiles accordingly. Therefore let's make sure that Postfix is
configured *after* OSSEC.

The cleaner approach would be to set a `postfix_user` var and set the
default value to "ossec", but rather than add additional logic into our
config to solve an ordering problem, I'd rather focus on making what we
have work—and the current change set is focused on resolving the ossec
registration logic—and then deferring to community-maintained roles for
common services, e.g. Postfix, which would allow overriding via vars.

(cherry picked from commit 5493923ed3bdc34e809476ae18dc452d3acf1f9b)
---
 install_files/ansible-base/securedrop-prod.yml    | 14 +++++++-------
 install_files/ansible-base/securedrop-staging.yml | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 7219ce64316..709c774e7ba 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -15,13 +15,6 @@
     - { role: tor-hidden-services, tags: tor }
   become: yes
 
-- name: Configure mailing utilities.
-  hosts: securedrop_monitor_server
-  roles:
-    - role: postfix
-      tags: postfix
-  become: yes
-
 - name: Configure OSSEC.
   hosts: securedrop
   roles:
@@ -29,6 +22,13 @@
       tags: ossec
   become: yes
 
+- name: Configure mailing utilities.
+  hosts: securedrop_monitor_server
+  roles:
+    - role: postfix
+      tags: postfix
+  become: yes
+
 - name: Configure SecureDrop Application Server.
   hosts: securedrop_application_server
   roles:
diff --git a/install_files/ansible-base/securedrop-staging.yml b/install_files/ansible-base/securedrop-staging.yml
index 405d7d27c95..2562f2b21ae 100755
--- a/install_files/ansible-base/securedrop-staging.yml
+++ b/install_files/ansible-base/securedrop-staging.yml
@@ -31,13 +31,6 @@
         when: install_local_packages }
   become: yes
 
-- name: Configure mailing utilities.
-  hosts: mon-staging
-  roles:
-    - role: postfix
-      tags: postfix
-  become: yes
-
 - name: Configure OSSEC.
   hosts: staging
   roles:
@@ -45,6 +38,13 @@
       tags: ossec
   become: yes
 
+- name: Configure mailing utilities.
+  hosts: mon-staging
+  roles:
+    - role: postfix
+      tags: postfix
+  become: yes
+
 - name: Configure SecureDrop Application Server.
   hosts: app-staging
   roles:

From 6d1156ea6cd83c965b949de4cdcda1d0a2521515 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 23 Jan 2018 16:54:45 -0500
Subject: [PATCH 18/51] Make registration detection less stringent

Current logic doesnt always work as intended since a machine's agent
name won't match up exactly if it's been registered multiple times.
Instead, lets just look for the IP address and the `is available`
string.

(cherry picked from commit 963cb6b2555444d742ae210f687c653e8387b208)
---
 install_files/ansible-base/roles/ossec/tasks/register.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index f69f46989f8..0fbe6374896 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -13,7 +13,7 @@
 # copy the result to a more conveniently named fact on both hosts.
 - name: Set host fact for OSSEC registration state.
   set_fact:
-    ossec_agent_already_registered: "{{ hostvars[groups.securedrop_monitor_server.0].ossec_list_agents_result.stdout == app_hostname +'-'+app_ip+' is available.' }}"
+    ossec_agent_already_registered: "{{ app_ip+' is available.' in hostvars[groups.securedrop_monitor_server.0].ossec_list_agents_result.stdout }}"
   # No "delegate_to", so that *both* hosts are aware of registration stauts via set_fact.
 
 - name: Start authd.

From 484c40d190c26b731bead96b9653ed9e2df2693d Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 23 Jan 2018 16:56:13 -0500
Subject: [PATCH 19/51] Purge existing agents from app + mon

If the agent connection isnt working, lets go ahead and purge all
existing agents from the app and monitor servers prior to
re-registration. This helps shake out a bunch of weird connection issues
that popped up during QA.

(cherry picked from commit 99a538bec95dbd09875009175baabe7f229a20f9)
---
 .../roles/ossec/tasks/register.yml            | 41 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index 0fbe6374896..37c9ae88898 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -16,6 +16,46 @@
     ossec_agent_already_registered: "{{ app_ip+' is available.' in hostvars[groups.securedrop_monitor_server.0].ossec_list_agents_result.stdout }}"
   # No "delegate_to", so that *both* hosts are aware of registration stauts via set_fact.
 
+- name: Find existing ossec remote IDs
+  find:
+    paths: /var/ossec/queue/rids
+    patterns: '^\d+$'
+    use_regex: "yes"
+  when:
+    - ossec_is_server
+  register: _existing_rids
+
+- name: Build list of existing remote IDs
+  set_fact:
+    build_rids: "{{ build_rids|default([]) + [item.path|basename] }}"
+  with_items: "{{ _existing_rids.files }}"
+  when:
+    - ossec_is_server
+
+- name: Stop ossec now for clean-up
+  service:
+    name: ossec
+    state: stopped
+  notify: restart ossec
+  when:
+    - not ossec_agent_already_registered
+
+- name: Purge existing ossec server existing agents
+  command: /var/ossec/bin/manage_agents -r {{ item }}
+  changed_when: false
+  with_items: "{{ build_rids|default([]) }}"
+  when:
+    - ossec_is_server
+    - not ossec_agent_already_registered
+
+- name: Erase existing client-side key
+  file:
+    path: /var/ossec/etc/client.keys
+    state: absent
+  when:
+    - ossec_is_client
+    - not ossec_agent_already_registered
+
 - name: Start authd.
   shell: /var/ossec/bin/ossec-authd -i {{ app_ip }} -p 1515 >/dev/null 2>&1 &
   async: 0
@@ -43,7 +83,6 @@
 
 - name: Register OSSEC agent.
   command: /var/ossec/bin/agent-auth -m {{ monitor_ip }} -p 1515 -A {{ app_hostname }}
-  notify: restart ossec
   when:
     - ossec_is_client
     - not ossec_agent_already_registered

From 0ae8af1140faec19ae9cb90442e4362c6cea1f9a Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 23 Jan 2018 17:37:19 -0500
Subject: [PATCH 20/51] Clean-up systems with multiple agents

Since the monitor server should only have one agent connected, multiple
agents showing up is a sign of problems. In that scenario, lets force
the re-register and cleanup logic.

(cherry picked from commit 97e1b1a7257474b3aaed847dfa89387a197f07ee)
---
 install_files/ansible-base/roles/ossec/tasks/register.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install_files/ansible-base/roles/ossec/tasks/register.yml b/install_files/ansible-base/roles/ossec/tasks/register.yml
index 37c9ae88898..8b46df4a315 100644
--- a/install_files/ansible-base/roles/ossec/tasks/register.yml
+++ b/install_files/ansible-base/roles/ossec/tasks/register.yml
@@ -25,6 +25,11 @@
     - ossec_is_server
   register: _existing_rids
 
+- name: Overload agent already registered status to force reinstall
+  set_fact:
+    ossec_agent_already_registered: false
+  when: hostvars[groups.securedrop_monitor_server.0]._existing_rids.matched > 1
+
 - name: Build list of existing remote IDs
   set_fact:
     build_rids: "{{ build_rids|default([]) + [item.path|basename] }}"

From 70c980f1d415c6d24074c39fae1d5f021f3119ab Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 23 Jan 2018 17:56:42 -0800
Subject: [PATCH 21/51] Reenables OSSEC connectivity config test

Partial reversion of 3da5605ae7, in which several config tests were
intentionally disabled for CI optimization. Now that we've resolved the
unreliable OSSEC registration flow, the strict "xfail" on the OSSEC
connectivity test was reporting failure: because it was unexpectedly
passing!

Renabled the OSSEC test, but left the other changes from 3da5605ae7
in place. We'll get to those in their own time.

(cherry picked from commit 4d3e94c8e3a81c3d36b567ef6fa8dabfb3409a02)
---
 testinfra/mon/test_ossec.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/testinfra/mon/test_ossec.py b/testinfra/mon/test_ossec.py
index 61e33e5102e..4b6c69ba0fa 100644
--- a/testinfra/mon/test_ossec.py
+++ b/testinfra/mon/test_ossec.py
@@ -20,7 +20,6 @@ def test_ossec_package(Package, package):
     assert Package(package).is_installed
 
 
-@pytest.mark.xfail(strict=True)
 def test_ossec_connectivity(Command, Sudo):
     """
     Ensure ossec-server machine has active connection to the ossec-agent.

From 67fac928fefe0094a8aefd5cbf415ae325f1e9cb Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 23 Jan 2018 16:21:39 -0800
Subject: [PATCH 22/51] Adds test for max_fail_percentage Ansible option

In typical TDD fashion, let's create a failing test and then get it to
pass. The test is currently failing, which is good! We'll want to update
*all* SecureDrop-related playbooks to contain max_fail_percentage=0.

(cherry picked from commit 61672a94e9564eab89c4910246449b8b80988f89)
---
 molecule/ansible-config/molecule.yml          | 36 +++++++++++
 .../tests/test_max_fail_percentage.py         | 61 +++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 molecule/ansible-config/molecule.yml
 create mode 100644 molecule/ansible-config/tests/test_max_fail_percentage.py

diff --git a/molecule/ansible-config/molecule.yml b/molecule/ansible-config/molecule.yml
new file mode 100644
index 00000000000..3db7a3bdb44
--- /dev/null
+++ b/molecule/ansible-config/molecule.yml
@@ -0,0 +1,36 @@
+---
+driver:
+  name: delegated
+  options:
+    managed: False
+    login_cmd_template: 'docker exec -ti {instance} bash'
+    ansible_connection_options:
+      connection: local
+lint:
+  name: yamllint
+platforms:
+  - name: localhost
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ''
+    create: ''
+  lint:
+    name: ansible-lint
+  config_options:
+    defaults:
+      callback_whitelist: "profile_tasks, timer"
+  inventory:
+    links:
+      group_vars: ../../../install_files/ansible-base/group_vars
+      host_vars: ../../../install_files/ansible-base/host_vars
+  env:
+    ANSIBLE_ROLES_PATH: ../../install_files/ansible-base/roles
+scenario:
+  name: ansible-config
+  test_sequence:
+    - verify
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
diff --git a/molecule/ansible-config/tests/test_max_fail_percentage.py b/molecule/ansible-config/tests/test_max_fail_percentage.py
new file mode 100644
index 00000000000..417a073dcaa
--- /dev/null
+++ b/molecule/ansible-config/tests/test_max_fail_percentage.py
@@ -0,0 +1,61 @@
+import os
+
+import pytest
+import yaml
+
+
+# Lots of parent directories to dig out of the Molecule test dir.
+# Could also inspect the Molecule env vars and go from there.
+REPO_ROOT = os.path.abspath(os.path.join(__file__,
+                                         os.path.pardir,
+                                         os.path.pardir,
+                                         os.path.pardir,
+                                         os.path.pardir,
+                                         ))
+ANSIBLE_BASE = os.path.join(REPO_ROOT, 'install_files', 'ansible-base')
+
+
+def find_ansible_playbooks():
+    """
+    Test helper to generate list of filepaths for SecureDrop
+    Ansible playbooks. All files will be validated to contain the
+    max_fail option.
+    """
+    playbooks = []
+    # Not using os.walk since all SecureDrop playbooks are in top-level
+    # of the "ansible-base" directory, and *many* YAML files that are
+    # not playbooks reside in subdirectories.
+    for f in os.listdir(ANSIBLE_BASE):
+        # Assume all YAML files in directory are playbooks.
+        if f.endswith(".yml"):
+            # Ignore deprecated production vars file.
+            if f != "prod-specific.yml":
+                playbooks.append(os.path.join(ANSIBLE_BASE, f))
+    # Sanity checking to make sure list of playbooks is not empty.
+    assert len(playbooks) > 0
+    return playbooks
+
+
+@pytest.mark.parametrize('playbook', find_ansible_playbooks())
+def test_max_fail_percentage(host, playbook):
+    """
+    All SecureDrop playbooks should set `max_fail_percentage` to "0"
+    on each and every play. Doing so ensures that if an error is encountered
+    on one host, Ansible immediately exits, rather than continuing to configure
+    the other, as-yet-unfailed host.
+
+    There's no ansible.cfg option to set for max_fail_percentage, which would
+    allow for a single DRY update that would apply automatically to all
+    invocations of `ansible-playbook`. Therefore this test, which will
+    search for the line present in all playbooks.
+
+    Technically it's only necessary that plays targeting multiple hosts use
+    the parameter, but we'll play it safe and require it everywhere,
+    to avoid mistakes down the road.
+    """
+    with open(playbook, 'r') as f:
+        playbook_yaml = yaml.safe_load(f)
+        # Descend into playbook list structure to validate play attributes.
+        for play in playbook_yaml:
+            assert 'max_fail_percentage' in play
+            assert play['max_fail_percentage'] == 0

From 45dfba74b61179873809dadb105ad52f1814b1c7 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 23 Jan 2018 16:52:57 -0800
Subject: [PATCH 23/51] Adds Makefile target "ansible-config-lint"

Target name is intentionally a bit verbose in order to discrimate from
"ansible-lint", which is a dedicated tool for linting Ansible playbooks
and the roles called therefrom, ensuring adherence to best practices.
That's a separate tool, and one we use elsewhere, whereas the new test
suite being introduced ensures SecureDrop-specific config choices
that we've added in this repository.

Hooked up the new test to the general "make lint" target, as well. The
new tests are *fast*, so no concerns with CI delays.

(cherry picked from commit 1ebd8a8759a6d7b58a2482747c5a101d83a68aca)
---
 Makefile | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f0097d5a04f..a785db01d47 100644
--- a/Makefile
+++ b/Makefile
@@ -27,6 +27,10 @@ ci-lint-image: ## Builds linting container.
 ci-lint: ## Runs linting in linting container.
 	docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock securedrop-lint:${TAG}
 
+.PHONY: ansible-config-lint
+ansible-config-lint: ## Runs custom Ansible env linting tasks.
+	molecule verify -s ansible-config
+
 .PHONY: docs-lint
 docs-lint: ## Check documentation for common syntax errors.
 # The `-W` option converts warnings to errors.
@@ -86,7 +90,7 @@ shellcheckclean: ## Cleans up temporary container associated with shellcheck tar
 	@docker rm -f shellcheck-targets
 
 .PHONY: lint
-lint: docs-lint app-lint flake8 html-lint yamllint shellcheck ## Runs all linting tools (docs, pylint, flake8, HTML, YAML, shell).
+lint: docs-lint app-lint flake8 html-lint yamllint shellcheck ansible-config-lint ## Runs all linting tools (docs, pylint, flake8, HTML, YAML, shell, ansible-config).
 
 .PHONY: docker-build-ubuntu
 docker-build-ubuntu: ## Builds SD Ubuntu docker container

From d8f8569afe24a62ddd6cf1da996d6304cf9b7c34 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 23 Jan 2018 17:01:22 -0800
Subject: [PATCH 24/51] Implements max_fail_percentage in all playbooks

The primary concern is for the "securedrop-prod.yml" playbook, which is
what Admins use to configure a production SecureDrop instance. In that
playbook, any error encountered during provisioning should cause an
immediate failure, aborting execution and reporting an error message for
review.

If the max_fail_percentage is *not* set to 0, debugging errors becomes
challenging, often involving lots of scrollback to piece together what
specifically went wrong.

In order to provide a sane strategy for testing adherence to this
requirement, we'll test all playbooks (defined as "YAML file in
ansible-base directory, and not the old prod-specific.yml vars file")
and ensure the option is set on each and every play. That's a bit
aggressive, but the tests are extremely fast, and will likely pay off
as we bring new contributors into the project who may not be familiar
with this rather esoteric Ansible option.

(cherry picked from commit 1421b404820901c3d76b0311d9033f1499d759df)
---
 install_files/ansible-base/build-deb-pkgs.yml         | 1 +
 install_files/ansible-base/securedrop-backup.yml      | 1 +
 install_files/ansible-base/securedrop-configure.yml   | 3 +++
 install_files/ansible-base/securedrop-development.yml | 1 +
 install_files/ansible-base/securedrop-logs.yml        | 1 +
 install_files/ansible-base/securedrop-prod.yml        | 6 ++++++
 install_files/ansible-base/securedrop-restore.yml     | 1 +
 install_files/ansible-base/securedrop-staging.yml     | 6 ++++++
 install_files/ansible-base/securedrop-tails.yml       | 1 +
 9 files changed, 21 insertions(+)

diff --git a/install_files/ansible-base/build-deb-pkgs.yml b/install_files/ansible-base/build-deb-pkgs.yml
index b3412061139..b16c843b9f9 100644
--- a/install_files/ansible-base/build-deb-pkgs.yml
+++ b/install_files/ansible-base/build-deb-pkgs.yml
@@ -1,6 +1,7 @@
 ---
 - name: Build SecureDrop application Debian package from local repository.
   hosts: build
+  max_fail_percentage: 0
   become: yes
   pre_tasks:
     - name: Ensure all packages are up to date.
diff --git a/install_files/ansible-base/securedrop-backup.yml b/install_files/ansible-base/securedrop-backup.yml
index 0ab7744f0dc..ff6ab13d2c6 100644
--- a/install_files/ansible-base/securedrop-backup.yml
+++ b/install_files/ansible-base/securedrop-backup.yml
@@ -1,6 +1,7 @@
 ---
 - name: Back up SecureDrop Application Server submissions.
   hosts: securedrop_application_server
+  max_fail_percentage: 0
   roles:
     - role: backup
       tags: backup
diff --git a/install_files/ansible-base/securedrop-configure.yml b/install_files/ansible-base/securedrop-configure.yml
index d9b09e446ce..23eb34cd9f8 100644
--- a/install_files/ansible-base/securedrop-configure.yml
+++ b/install_files/ansible-base/securedrop-configure.yml
@@ -3,6 +3,7 @@
   hosts: localhost
   connection: local
   gather_facts: no
+  max_fail_percentage: 0
   tasks:
     - debug:
         msg: >-
@@ -16,6 +17,7 @@
   hosts: localhost
   connection: local
   gather_facts: no
+  max_fail_percentage: 0
   vars_prompt:
     - name: ssh_users
       prompt: Username for SSH access to the servers
@@ -177,6 +179,7 @@
   hosts: localhost
   connection: local
   gather_facts: yes
+  max_fail_percentage: 0
   pre_tasks:
     # Use a first-found loop to avoid erroring out if the vars file doesn't
     # exist when the playbook is invoked, which is true on first run.
diff --git a/install_files/ansible-base/securedrop-development.yml b/install_files/ansible-base/securedrop-development.yml
index 40f7d260ef0..9a8a5fe0b24 100644
--- a/install_files/ansible-base/securedrop-development.yml
+++ b/install_files/ansible-base/securedrop-development.yml
@@ -1,6 +1,7 @@
 ---
 - name: Configure SecureDrop Development machine.
   hosts: development
+  max_fail_percentage: 0
   pre_tasks:
     # Ensure all upgrades are applied. Also updates the apt cache,
     # which will remain sufficiently fresh to prevent repeated cache updates
diff --git a/install_files/ansible-base/securedrop-logs.yml b/install_files/ansible-base/securedrop-logs.yml
index 09ef25d372a..215c3cbddc5 100644
--- a/install_files/ansible-base/securedrop-logs.yml
+++ b/install_files/ansible-base/securedrop-logs.yml
@@ -2,6 +2,7 @@
 - name: Gather logs for forensics from SecureDrop application server.
   hosts: securedrop
   become: yes
+  max_fail_percentage: 0
   vars:
     log_paths_reference:
       app:
diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 842876515f8..478f8a65e33 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -2,12 +2,14 @@
 ---
 - name: Ensure validation is run before prod install
   hosts: localhost
+  max_fail_percentage: 0
   connection: local
   roles:
     - { role: validate, tags: validate }
 
 - name: Add FPF apt repository and install base packages.
   hosts: securedrop
+  max_fail_percentage: 0
   roles:
     - { role: install-fpf-repo, tags: fpf }
     - { role: grsecurity, when: grsecurity, tags: [grsec, grsecurity] }
@@ -17,12 +19,14 @@
 
 - name: Configure SecureDrop Monitor Server.
   hosts: securedrop_monitor_server
+  max_fail_percentage: 0
   roles:
     - { role: ossec-server, tags: [ ossec, ossec_server ] }
   become: yes
 
 - name: Configure SecureDrop Application Server.
   hosts: securedrop_application_server
+  max_fail_percentage: 0
   roles:
     - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
@@ -36,12 +40,14 @@
   # connection. After that point the admin will to proxy traffic over tor.
 - name: Lock down firewall configuration for Application and Monitor Servers.
   hosts: securedrop
+  max_fail_percentage: 0
   roles:
     - { role: restrict-direct-access, tags: [ common, restrict-direct-access ] }
   become: yes
 
 - name: Reboot Application and Monitor Servers.
   hosts: securedrop
+  max_fail_percentage: 0
   vars:
     # Override the default behavior of waiting for the servers to come back.
     # Won't work on initial installs because the connection addresses change
diff --git a/install_files/ansible-base/securedrop-restore.yml b/install_files/ansible-base/securedrop-restore.yml
index acdedc71cb4..926951a6d62 100644
--- a/install_files/ansible-base/securedrop-restore.yml
+++ b/install_files/ansible-base/securedrop-restore.yml
@@ -1,6 +1,7 @@
 ---
 - name: Restore SecureDrop Application Server from previous config.
   hosts: securedrop_application_server
+  max_fail_percentage: 0
   roles:
     - role: restore
       tags: restore
diff --git a/install_files/ansible-base/securedrop-staging.yml b/install_files/ansible-base/securedrop-staging.yml
index af2b5847f49..8651b14dfbc 100755
--- a/install_files/ansible-base/securedrop-staging.yml
+++ b/install_files/ansible-base/securedrop-staging.yml
@@ -2,6 +2,7 @@
 ---
 - name: Scrape build directory
   hosts: localhost
+  max_fail_percentage: 0
   tasks:
     - name: Establish list of files in build/
       find:
@@ -20,6 +21,7 @@
 
 - name: Add FPF apt repository and install base packages.
   hosts: staging
+  max_fail_percentage: 0
   roles:
     - role: ci-tweaks
       when: amazon_builder
@@ -33,12 +35,14 @@
 
 - name: Configure OSSEC manager.
   hosts: mon-staging
+  max_fail_percentage: 0
   roles:
     - { role: ossec-server, tags: [ ossec, ossec_server ] }
   become: yes
 
 - name: Configure SecureDrop Application Server.
   hosts: app-staging
+  max_fail_percentage: 0
   roles:
     - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
@@ -50,12 +54,14 @@
   # and default false in production environments, in order to force SSH traffic over Tor.
 - name: Configure host firewalls (with direct access for staging).
   hosts: staging
+  max_fail_percentage: 0
   roles:
     - { role: restrict-direct-access, tags: [ common, restrict-direct-access ] }
   become: yes
 
 - name: Reboot Application and Monitor Servers.
   hosts: staging
+  max_fail_percentage: 0
   tasks:
     - include: tasks/reboot_if_first_install.yml
       when: not amazon_builder
diff --git a/install_files/ansible-base/securedrop-tails.yml b/install_files/ansible-base/securedrop-tails.yml
index e676af22f25..a473916264b 100755
--- a/install_files/ansible-base/securedrop-tails.yml
+++ b/install_files/ansible-base/securedrop-tails.yml
@@ -4,6 +4,7 @@
 # Workstations. Should be run after the servers have been installed.
 - name: Configure Tails workstation.
   hosts: localhost
+  max_fail_percentage: 0
   connection: local
   gather_facts: yes
   roles:

From ffd8596f44ce6e81a98c207b82ca2da66181c80e Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 23 Jan 2018 17:16:31 -0800
Subject: [PATCH 25/51] Removes unused "upgrade" playbook

Also removes associated "upgrade" role, which was designed for the
migration to SecureDrop 0.3, released on 2015-02-12. These files
have not been used since then, and so should be removed from the
repository.

As a side note, these files were first written, and last touched, by the
late James Dolan. RIP, James. I cannot express what a profound pleasure
it was to work with you. You are missed, dearly.

(cherry picked from commit 077002b43bfad7ef3e9fa326ee4af3ad8d4e05e7)
---
 .../roles/upgrade/files/0.3pre_upgrade.py     | 197 ------------------
 .../roles/upgrade/handlers/main.yml           |   4 -
 .../roles/upgrade/tasks/0-3pre-upgrade.yml    |  58 ------
 .../ansible-base/roles/upgrade/tasks/main.yml |   3 -
 install_files/ansible-base/upgrade.yml        |  16 --
 5 files changed, 278 deletions(-)
 delete mode 100755 install_files/ansible-base/roles/upgrade/files/0.3pre_upgrade.py
 delete mode 100644 install_files/ansible-base/roles/upgrade/handlers/main.yml
 delete mode 100644 install_files/ansible-base/roles/upgrade/tasks/0-3pre-upgrade.yml
 delete mode 100644 install_files/ansible-base/roles/upgrade/tasks/main.yml
 delete mode 100644 install_files/ansible-base/upgrade.yml

diff --git a/install_files/ansible-base/roles/upgrade/files/0.3pre_upgrade.py b/install_files/ansible-base/roles/upgrade/files/0.3pre_upgrade.py
deleted file mode 100755
index 796853d0aa3..00000000000
--- a/install_files/ansible-base/roles/upgrade/files/0.3pre_upgrade.py
+++ /dev/null
@@ -1,197 +0,0 @@
-#!/usr/bin/python2.7
-
-from datetime import datetime
-import os
-import shutil
-import sqlite3
-import subprocess
-import sys
-import tarfile
-import traceback
-
-
-def backup_app():
-    tar_fn = 'backup-app-{}.tar.bz2'.format(datetime.now().strftime("%Y-%m-%d--%H-%M-%S"))
-    with tarfile.open(tar_fn, 'w:bz2') as t:
-        t.add('/var/lib/securedrop/')
-        t.add('/var/lib/tor/services/')
-        t.add('/var/www/securedrop/config.py')
-        try:
-            t.add('/var/www/securedrop/static/i/logo.png')
-        except OSError:
-            print "[!] Expected but non-essential file ('logo.png') not found. Continuing..."
-    print "**  Backed up system to {} before migrating.".format(tar_fn)
-
-
-def backup_mon():
-    # The only thing we have to back up for the monitor server is the SSH ATHS cert.
-    # All other required values are available in prod-specific.yml from the installation.
-    tar_fn = 'backup-mon-{}.tar.bz2'.format(datetime.now().strftime("%Y-%m-%d--%H-%M-%S"))
-    with tarfile.open(tar_fn, 'w:bz2') as t:
-        t.add('/var/lib/tor/services/')
-    print "**  Backed up system to {} before migrating.".format(tar_fn)
-
-
-def secure_unlink(path):
-    subprocess.check_call(['srm', '-r', path])
-
-
-def cleanup_deleted_sources(store_dir, c):
-    """
-    In 0.3pre and 0.3, there were two bugs that could potentially lead
-    to the source directory failing to be deleted when a source was
-    deleted from the Journalist Interface. We clean up these leftover
-    directories as part of the migration.
-
-    These sources can be identified because they have a source_dir in
-    the store_dir, but no corresponding Source entry in the database.
-
-    See https://github.com/freedomofpress/securedrop/pull/944 for context.
-    """
-    for source_dir in os.listdir(store_dir):
-        try:
-            source = c.execute("SELECT * FROM sources WHERE filesystem_id=?",
-                (source_dir,)).fetchone()
-            if not source:
-                print "Deleting source with no db entry ('{}')...".format(source_dir)
-                secure_unlink(os.path.join(store_dir, source_dir))
-        except Exception as e:
-            print "\n!!  Error occurred cleaning up deleted sources for source {}".format(source_dir)
-            print "Source had {} submissions".format(len(os.listdir(os.path.join(store_dir, source_dir))))
-            print traceback.format_exc()
-
-
-def get_db_connection():
-    db_path = "/var/lib/securedrop/db.sqlite"
-    assert os.path.isfile(db_path)
-    conn = sqlite3.connect(db_path)
-    return conn, conn.cursor()
-
-
-def migrate_app_db():
-    store_dir = "/var/lib/securedrop/store"
-    conn, c = get_db_connection()
-
-    # Before modifying the database, clean up any source directories that were
-    # left on the filesystem after the sources were deleted.
-    cleanup_deleted_sources(store_dir, c)
-
-    # To get CREATE TABLE from SQLAlchemy:
-    # >>> import db
-    # >>> from sqlalchemy.schema import CreateTable
-    # >>> print CreateTable(db.Journalist.__table__).compile(db.engine)
-    # Or, add `echo=True` to the engine constructor.
-    # CREATE TABLE replies
-    c.execute("""
-CREATE TABLE replies (
-	id INTEGER NOT NULL,
-	journalist_id INTEGER,
-	source_id INTEGER,
-	filename VARCHAR(255) NOT NULL,
-	size INTEGER NOT NULL,
-	PRIMARY KEY (id),
-	FOREIGN KEY(journalist_id) REFERENCES journalists (id),
-	FOREIGN KEY(source_id) REFERENCES sources (id)
-)""")
-
-    # Fill in replies from the replies in STORE_DIR at the time of the migration
-    #
-    # Caveats:
-    #
-    # 1. Before we added the `replies` table, we did not keep track of which
-    # journalist wrote the reply. There is no way for us to reverse-engineer
-    # that information, so the migration will default to saying they were all
-    # created by the first journalist (arbitrarily). Since we do not surface
-    # this in the UI yet anyway, it should not be a big deal.
-    #
-    # 2. We do not try to get the order of the (autoincrementing primary key)
-    # reply_id to match the order in which the replies were created (which could
-    # be inferred from the file timestamps, since we only normalize submission
-    # timestamps and not reply timestamps) since this order is not used anywhere
-    # in the code.
-
-    # Copy from db.py to compute filesystem-safe journalist filenames
-    def journalist_filename(s):
-        valid_chars = 'abcdefghijklmnopqrstuvwxyz1234567890-_'
-        return ''.join([c for c in s.lower().replace(' ', '_') if c in valid_chars])
-
-    reply_id = 1
-    for source_dir in os.listdir(store_dir):
-        try:
-            source_id, journalist_designation = c.execute(
-                "SELECT id, journalist_designation FROM sources WHERE filesystem_id=?",
-                (source_dir,)).fetchone()
-        except sqlite3.Error as e:
-            print "!!\tError occurred migrating replies for source {}".format(source_dir)
-            print traceback.format_exc()
-            continue
-
-        for filename in os.listdir(os.path.join(store_dir, source_dir)):
-            if "-reply.gpg" not in filename:
-                continue
-
-            # Rename the reply file from 0.3pre convention to 0.3 convention
-            interaction_count = filename.split('-')[0]
-            new_filename = "{}-{}-reply.gpg".format(interaction_count,
-                journalist_filename(journalist_designation))
-            os.rename(os.path.join(store_dir, source_dir, filename),
-                      os.path.join(store_dir, source_dir, new_filename))
-
-            # need id, journalist_id, source_id, filename, size
-            journalist_id = 1 # *shrug*
-            full_path = os.path.join(store_dir, source_dir, new_filename)
-            size = os.stat(full_path).st_size
-            c.execute("INSERT INTO replies VALUES (?,?,?,?,?)",
-                      (reply_id, journalist_id, source_id, new_filename, size))
-            reply_id += 1 # autoincrement for next reply
-
-    # CREATE TABLE journalist_login_attempts
-    c.execute("""
-CREATE TABLE journalist_login_attempt (
-	id INTEGER NOT NULL,
-	timestamp DATETIME,
-	journalist_id INTEGER,
-	PRIMARY KEY (id),
-	FOREIGN KEY(journalist_id) REFERENCES journalists (id)
-)""")
-
-    # ALTER TABLE journalists, add last_token column
-    c.execute("""ALTER TABLE journalists ADD COLUMN last_token VARCHAR(6)""")
-
-    # Save changes and close connection
-    conn.commit()
-    conn.close()
-
-
-def app_db_migrated():
-    """To make the upgrade role idempotent, we need to skip migrating the
-    database if it has already been modified. The best way to do this
-    is to check whether the last sql command in `migrate_app_db`
-    (ALTER TABLE to add the last_token column to the journalists
-    table) succeeded. If so, we can assume the database app migration
-    succeeded and can safely skip doing it again.
-
-    """
-    conn, c = get_db_connection()
-    journalist_tables = c.execute('PRAGMA table_info(journalists)').fetchall()
-    table_names = set([table[1] for table in journalist_tables])
-    return 'last_token' in table_names
-
-
-def main():
-    if len(sys.argv) <= 1:
-        print "Usage: 0.3pre_upgrade.py app|mon"
-        sys.exit(1)
-
-    server_role = sys.argv[1]
-    assert server_role in ("app", "mon")
-
-    if server_role == "app":
-        backup_app()
-        if not app_db_migrated():
-            migrate_app_db()
-    else:
-        backup_mon()
-
-if __name__ == "__main__":
-    main()
diff --git a/install_files/ansible-base/roles/upgrade/handlers/main.yml b/install_files/ansible-base/roles/upgrade/handlers/main.yml
deleted file mode 100644
index 5016cd08a10..00000000000
--- a/install_files/ansible-base/roles/upgrade/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-- name: reload tor for port change
-  service: name=tor state=reloaded
-  become: yes
diff --git a/install_files/ansible-base/roles/upgrade/tasks/0-3pre-upgrade.yml b/install_files/ansible-base/roles/upgrade/tasks/0-3pre-upgrade.yml
deleted file mode 100644
index b1e1d94fa04..00000000000
--- a/install_files/ansible-base/roles/upgrade/tasks/0-3pre-upgrade.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# This role will upgrade 0.3pre instances to 0.3 instances.
-# It will copy and run the upgrade.py script on the app and monitor servers.
-- name: stop the apache service prior to upgrade tasks
-  service: name=apache2 state=stopped
-  when: server_role == 'app'
-  become: yes
-
-- name: copy upgrade script to servers
-  copy: src="0.3pre_upgrade.py" dest="/tmp" owner="root" mode="740"
-  become: yes
-
-- name: run the upgrade script
-  shell: "/tmp/0.3pre_upgrade.py {{ server_role }}"
-  become: yes
-
-- name: remove old 0.3 packages to avoid version error
-  apt: name={{ item }} state=absent
-  with_items:
-    - securedrop-app-code
-    - securedrop-grsec
-    - securedrop-ossec-agent
-    - securedrop-ossec-server
-  become: yes
-
-- name: remove the previous signing key
-  apt_key: id=BD67D096 state=absent
-  become: yes
-
-  # This will update the App servers torrc config file for changing the
-  # journalist interface tor port from 8080 to 80. As of this release the prod
-  # playbook restarts tor if the torrc config changes. This will break ansible
-  # playbook runs that are over tor. Issue #940 will track modifying the prod
-  # playbook to ensure that this isn't an issue going forward.
-  #
-  # This does not change the ATHS onion address or secret value only the port
-  # for the interface will change.
-  #
-  # This will only replace/add the line when the old HiddenServicePort config
-  # for port 8080 exists. This will not modify the torrc on the monitor server
-  # which only has a HiddenServicePort 22 config.
-- name: change the journalist interface ATHS virtual port to lisen on port 80
-  lineinfile:
-    dest: /etc/tor/torrc
-    regexp: '^HiddenServicePort 8080 127\.0\.0\.1\:8080'
-    backrefs: yes
-    line: 'HiddenServicePort 80 127.0.0.1:8080'
-  notify: reload tor for port change
-  become: yes
-
-  # If the config changed, reload tor now instead of after all the remaining
-  # upgrade tasks are run so the next task can verify
-  # that the service is running.
-- meta: flush_handlers
-
-- name: ensure tor is running
-  service: name=tor state=running
-  become: yes
diff --git a/install_files/ansible-base/roles/upgrade/tasks/main.yml b/install_files/ansible-base/roles/upgrade/tasks/main.yml
deleted file mode 100644
index 072cd440a83..00000000000
--- a/install_files/ansible-base/roles/upgrade/tasks/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- include: 0-3pre-upgrade.yml
-  tags: 0-3pre-upgrade
diff --git a/install_files/ansible-base/upgrade.yml b/install_files/ansible-base/upgrade.yml
deleted file mode 100644
index 71a6e94c1a6..00000000000
--- a/install_files/ansible-base/upgrade.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- hosts: [ 'app-staging', 'app' ]
-
-  vars:
-    server_role: app
-
-  roles:
-    - upgrade
-
-- hosts: [ 'mon-staging', 'mon' ]
-
-  vars:
-    server_role: mon
-
-  roles:
-    - upgrade

From 7e0b4756df8d583949d0d91792f5b8f492e1b325 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 24 Jan 2018 09:18:27 -0800
Subject: [PATCH 26/51] Adds test for any_errors_fatal Ansible option

Based on feedback from @trishnaguha, we've determined we need
`any_errors_fatal=yes` in addition to `max_fail_percentage` to ensure
fast fail behavior from Ansible. Tests have been updated, will modify
playbooks subsequently.

(cherry picked from commit a04fe03a80933749fff812e9c535c4b3db010793)
---
 .../tests/test_max_fail_percentage.py         | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/molecule/ansible-config/tests/test_max_fail_percentage.py b/molecule/ansible-config/tests/test_max_fail_percentage.py
index 417a073dcaa..6b57a43589e 100644
--- a/molecule/ansible-config/tests/test_max_fail_percentage.py
+++ b/molecule/ansible-config/tests/test_max_fail_percentage.py
@@ -40,9 +40,11 @@ def find_ansible_playbooks():
 def test_max_fail_percentage(host, playbook):
     """
     All SecureDrop playbooks should set `max_fail_percentage` to "0"
-    on each and every play. Doing so ensures that if an error is encountered
-    on one host, Ansible immediately exits, rather than continuing to configure
-    the other, as-yet-unfailed host.
+    on each and every play. Doing so ensures that an error on a single
+    host constitutes a play failure.
+
+    In conjunction with the `any_errors_fatal` option, tested separately,
+    this will achieve a "fail fast" behavior from Ansible.
 
     There's no ansible.cfg option to set for max_fail_percentage, which would
     allow for a single DRY update that would apply automatically to all
@@ -59,3 +61,20 @@ def test_max_fail_percentage(host, playbook):
         for play in playbook_yaml:
             assert 'max_fail_percentage' in play
             assert play['max_fail_percentage'] == 0
+
+
+@pytest.mark.parametrize('playbook', find_ansible_playbooks())
+def test_max_fail_percentage(host, playbook):
+    """
+    All SecureDrop playbooks should set `any_errors_fatal` to "yes"
+    on each and every play. In conjunction with `max_fail_percentage` set
+    to "0", doing so ensures that any errors will cause an immediate failure
+    on the playbook.
+    """
+    with open(playbook, 'r') as f:
+        playbook_yaml = yaml.safe_load(f)
+        # Descend into playbook list structure to validate play attributes.
+        for play in playbook_yaml:
+            assert 'any_errors_fatal' in play
+            # Ansible coerces booleans, so bare assert is sufficient
+            assert play['any_errors_fatal']

From 116230d14270642d7d6a390e2cace402d30e18a4 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 24 Jan 2018 10:53:42 -0800
Subject: [PATCH 27/51] Implements any_errors_fatal in all playbooks

We also want `any_errors_fatal=yes` on all playbooks in the repository; simply
using `max_fail_percentage` is insufficient. Tests have already been updated
to track this change, and manual testing confirms the "fail fast" behavior
desired for minimizing Admin frustration.

(cherry picked from commit 60358b503882d58a1c77e2bee6c62b72bc8bf264)
---
 install_files/ansible-base/build-deb-pkgs.yml         | 1 +
 install_files/ansible-base/securedrop-backup.yml      | 1 +
 install_files/ansible-base/securedrop-configure.yml   | 3 +++
 install_files/ansible-base/securedrop-development.yml | 1 +
 install_files/ansible-base/securedrop-logs.yml        | 1 +
 install_files/ansible-base/securedrop-prod.yml        | 6 ++++++
 install_files/ansible-base/securedrop-restore.yml     | 1 +
 install_files/ansible-base/securedrop-staging.yml     | 6 ++++++
 install_files/ansible-base/securedrop-tails.yml       | 1 +
 9 files changed, 21 insertions(+)

diff --git a/install_files/ansible-base/build-deb-pkgs.yml b/install_files/ansible-base/build-deb-pkgs.yml
index b16c843b9f9..308e74ebf8a 100644
--- a/install_files/ansible-base/build-deb-pkgs.yml
+++ b/install_files/ansible-base/build-deb-pkgs.yml
@@ -2,6 +2,7 @@
 - name: Build SecureDrop application Debian package from local repository.
   hosts: build
   max_fail_percentage: 0
+  any_errors_fatal: yes
   become: yes
   pre_tasks:
     - name: Ensure all packages are up to date.
diff --git a/install_files/ansible-base/securedrop-backup.yml b/install_files/ansible-base/securedrop-backup.yml
index ff6ab13d2c6..e778cb9b814 100644
--- a/install_files/ansible-base/securedrop-backup.yml
+++ b/install_files/ansible-base/securedrop-backup.yml
@@ -2,6 +2,7 @@
 - name: Back up SecureDrop Application Server submissions.
   hosts: securedrop_application_server
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - role: backup
       tags: backup
diff --git a/install_files/ansible-base/securedrop-configure.yml b/install_files/ansible-base/securedrop-configure.yml
index 23eb34cd9f8..13062daed5d 100644
--- a/install_files/ansible-base/securedrop-configure.yml
+++ b/install_files/ansible-base/securedrop-configure.yml
@@ -4,6 +4,7 @@
   connection: local
   gather_facts: no
   max_fail_percentage: 0
+  any_errors_fatal: yes
   tasks:
     - debug:
         msg: >-
@@ -18,6 +19,7 @@
   connection: local
   gather_facts: no
   max_fail_percentage: 0
+  any_errors_fatal: yes
   vars_prompt:
     - name: ssh_users
       prompt: Username for SSH access to the servers
@@ -180,6 +182,7 @@
   connection: local
   gather_facts: yes
   max_fail_percentage: 0
+  any_errors_fatal: yes
   pre_tasks:
     # Use a first-found loop to avoid erroring out if the vars file doesn't
     # exist when the playbook is invoked, which is true on first run.
diff --git a/install_files/ansible-base/securedrop-development.yml b/install_files/ansible-base/securedrop-development.yml
index 9a8a5fe0b24..189f5153994 100644
--- a/install_files/ansible-base/securedrop-development.yml
+++ b/install_files/ansible-base/securedrop-development.yml
@@ -2,6 +2,7 @@
 - name: Configure SecureDrop Development machine.
   hosts: development
   max_fail_percentage: 0
+  any_errors_fatal: yes
   pre_tasks:
     # Ensure all upgrades are applied. Also updates the apt cache,
     # which will remain sufficiently fresh to prevent repeated cache updates
diff --git a/install_files/ansible-base/securedrop-logs.yml b/install_files/ansible-base/securedrop-logs.yml
index 215c3cbddc5..ebad8f29f87 100644
--- a/install_files/ansible-base/securedrop-logs.yml
+++ b/install_files/ansible-base/securedrop-logs.yml
@@ -3,6 +3,7 @@
   hosts: securedrop
   become: yes
   max_fail_percentage: 0
+  any_errors_fatal: yes
   vars:
     log_paths_reference:
       app:
diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 478f8a65e33..f3f8b0047d0 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -3,6 +3,7 @@
 - name: Ensure validation is run before prod install
   hosts: localhost
   max_fail_percentage: 0
+  any_errors_fatal: yes
   connection: local
   roles:
     - { role: validate, tags: validate }
@@ -10,6 +11,7 @@
 - name: Add FPF apt repository and install base packages.
   hosts: securedrop
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: install-fpf-repo, tags: fpf }
     - { role: grsecurity, when: grsecurity, tags: [grsec, grsecurity] }
@@ -20,6 +22,7 @@
 - name: Configure SecureDrop Monitor Server.
   hosts: securedrop_monitor_server
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: ossec-server, tags: [ ossec, ossec_server ] }
   become: yes
@@ -27,6 +30,7 @@
 - name: Configure SecureDrop Application Server.
   hosts: securedrop_application_server
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
@@ -41,6 +45,7 @@
 - name: Lock down firewall configuration for Application and Monitor Servers.
   hosts: securedrop
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: restrict-direct-access, tags: [ common, restrict-direct-access ] }
   become: yes
@@ -48,6 +53,7 @@
 - name: Reboot Application and Monitor Servers.
   hosts: securedrop
   max_fail_percentage: 0
+  any_errors_fatal: yes
   vars:
     # Override the default behavior of waiting for the servers to come back.
     # Won't work on initial installs because the connection addresses change
diff --git a/install_files/ansible-base/securedrop-restore.yml b/install_files/ansible-base/securedrop-restore.yml
index 926951a6d62..879ab1a3bb0 100644
--- a/install_files/ansible-base/securedrop-restore.yml
+++ b/install_files/ansible-base/securedrop-restore.yml
@@ -2,6 +2,7 @@
 - name: Restore SecureDrop Application Server from previous config.
   hosts: securedrop_application_server
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - role: restore
       tags: restore
diff --git a/install_files/ansible-base/securedrop-staging.yml b/install_files/ansible-base/securedrop-staging.yml
index 8651b14dfbc..8876963efb6 100755
--- a/install_files/ansible-base/securedrop-staging.yml
+++ b/install_files/ansible-base/securedrop-staging.yml
@@ -3,6 +3,7 @@
 - name: Scrape build directory
   hosts: localhost
   max_fail_percentage: 0
+  any_errors_fatal: yes
   tasks:
     - name: Establish list of files in build/
       find:
@@ -22,6 +23,7 @@
 - name: Add FPF apt repository and install base packages.
   hosts: staging
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - role: ci-tweaks
       when: amazon_builder
@@ -36,6 +38,7 @@
 - name: Configure OSSEC manager.
   hosts: mon-staging
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: ossec-server, tags: [ ossec, ossec_server ] }
   become: yes
@@ -43,6 +46,7 @@
 - name: Configure SecureDrop Application Server.
   hosts: app-staging
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: ossec-agent, tags: [ ossec, ossec_agent ] }
     - { role: app, tags: app }
@@ -55,6 +59,7 @@
 - name: Configure host firewalls (with direct access for staging).
   hosts: staging
   max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - { role: restrict-direct-access, tags: [ common, restrict-direct-access ] }
   become: yes
@@ -62,6 +67,7 @@
 - name: Reboot Application and Monitor Servers.
   hosts: staging
   max_fail_percentage: 0
+  any_errors_fatal: yes
   tasks:
     - include: tasks/reboot_if_first_install.yml
       when: not amazon_builder
diff --git a/install_files/ansible-base/securedrop-tails.yml b/install_files/ansible-base/securedrop-tails.yml
index a473916264b..6aeeb11fc31 100755
--- a/install_files/ansible-base/securedrop-tails.yml
+++ b/install_files/ansible-base/securedrop-tails.yml
@@ -5,6 +5,7 @@
 - name: Configure Tails workstation.
   hosts: localhost
   max_fail_percentage: 0
+  any_errors_fatal: yes
   connection: local
   gather_facts: yes
   roles:

From 314a773779527712fdb55f6b9ae035ecbe709eda Mon Sep 17 00:00:00 2001
From: Mickael E <mickael@freedom.press>
Date: Thu, 25 Jan 2018 14:06:02 -0500
Subject: [PATCH 28/51] Closes #2927, do not fail CI on vulnerable package :(.
 This change is TEMPORARY until Ansible in
 `securedrop/requirements/ansible.in` is upgraded to 2.4

(cherry picked from commit 8d7345b444b9853fae99e775a652920bb1401ec4)
---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 1f73c255f5b..104b6061fd0 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -102,7 +102,7 @@ jobs:
 
       - run:
           name: Check Python dependencies for CVEs
-          command: make safety
+          command: make safety || true # Revert when Ansible 2.4 is used
 
       - setup_remote_docker
 

From b800faa78a5e0f8f7cf135331c0f314ae80b97a6 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Wed, 17 Jan 2018 11:05:57 -0500
Subject: [PATCH 29/51] Remove regular staging-test in bid to keep complexity
 down

This is a hot fix to reduce the number of AWS calls we are making per CI
run. Specfically, we have started seeing issues with rate-limiting
against the `CreateKeyPair` that need to be mitigated. Really a longer
term goal is to rethink how/when we want to run the staging full VM
tests in CI. Shorter term we can also analyze how we create SSH keys -
maybe we take the same key and shove it in circleci?

(cherry picked from commit 5ecddcf294f997b1d641f714a8606f0f674b38d7)
---
 .circleci/config.yml | 51 --------------------------------------------
 1 file changed, 51 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 1f73c255f5b..2a7f128e367 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -77,54 +77,6 @@ jobs:
       - store_artifacts:
           path: ~/test-results
 
-  staging-test:
-    docker:
-      - image: quay.io/freedomofpress/circleci-docker:latest
-        environment:
-          FPF_CI: true
-          CI_SD_ENV: staging
-          CI_AWS_TYPE: t2.medium
-          FPF_GRSEC: false
-          TEST_REPORTS: /root/sd
-    working_directory: ~/sd
-
-    steps:
-
-      - checkout
-
-      - run:
-          name: Rebase on-top of latest develop
-          command: ./devops/scripts/rebase-develop.sh
-
-      - run:
-          name: Installation pre-reqs
-          command: pip install -U -r securedrop/requirements/develop-requirements.txt
-
-      - run:
-          name: Check Python dependencies for CVEs
-          command: make safety
-
-      - setup_remote_docker
-
-      - run:
-          name: Run Debian builds
-          command: make build-debs
-
-      - run:
-          name: Provision staging servers and run tests
-          command: make ci-go
-
-      - run:
-          name: Ensure environment torn down
-          command: molecule destroy -s aws
-          when: on_fail
-
-      - store_test_results:
-          path: /root/sd/junit
-
-      - store_artifacts:
-          path: /root/sd/junit
-
   staging-test-with-rebase:
     docker:
       - image: quay.io/freedomofpress/circleci-docker:latest
@@ -175,9 +127,6 @@ workflows:
     jobs:
       - lint
       - tests
-      - staging-test:
-          requires:
-            - lint
       - staging-test-with-rebase:
           requires:
             - lint

From 99a05b398b796773cf1355a8f6374f9622ea0fb8 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Wed, 17 Jan 2018 12:32:03 -0500
Subject: [PATCH 30/51] CI - Do not skip ec2 tear-down if keypair rm dies

(cherry picked from commit c36000e052abd774f756abadbc76902ca445a758)
---
 molecule/aws/destroy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/molecule/aws/destroy.yml b/molecule/aws/destroy.yml
index d5d18a48352..7dd1cc40b9b 100644
--- a/molecule/aws/destroy.yml
+++ b/molecule/aws/destroy.yml
@@ -18,6 +18,9 @@
         name: "sdci-{{ job_id }}"
         state: absent
         region: "{{ aws_ec2_ci_region }}"
+      # If the tear-down fails with the in-ability to remove a key, lets not
+      # fail the actual tear-down process!!
+      ignore_errors: true
 
     - name: Destroy molecule EC2 instance(s)
       ec2:

From 07d99bbabdefbb34d200b9a30c28380ff888a49b Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Wed, 17 Jan 2018 13:45:30 -0500
Subject: [PATCH 31/51] REVERTME -- Temporary testing region in branch

(cherry picked from commit e958e2165e1262839bcf0ae1217847a1f0851601)
---
 .circleci/config.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2a7f128e367..2483877aca0 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -84,6 +84,7 @@ jobs:
           FPF_CI: true
           CI_SD_ENV: staging
           CI_AWS_TYPE: t2.medium
+          CI_AWS_REGION: us-west-2
           FPF_GRSEC: false
           TEST_REPORTS: /root/sd
     working_directory: ~/sd

From 4227c99cb02ce31a16b9924c1f29d57036c86e5f Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Wed, 17 Jan 2018 11:18:50 -0800
Subject: [PATCH 32/51] Use Xenial to install gettext 0.19.*

The gettext 0.19.* has a lot of useful features compared to gettext 0.18.*,
including support for .desktop files. Previously we used Zesty to install
gettext 0.19.*, but it is now EOL. Instead, we can install Xenial to install
a modern gettext.

(cherry picked from commit 985146e245d37b613e13d94843ef2abb58864b3d)

Conflicts:
	securedrop/Dockerfile

Resolved by favoring syntax used on master - simply replaced 'zesty' with 'xenial'
---
 .../ansible-base/roles/app-test/tasks/modern_gettext.yml | 9 ++++-----
 securedrop/Dockerfile                                    | 4 ++--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml b/install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml
index 0b2b7e83774..6cbb3383375 100644
--- a/install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml
+++ b/install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml
@@ -3,9 +3,9 @@
 # This can be removed when VM against which this is run are more
 # recent than trusty
 #
-- name: Add gettext zesty apt repository
+- name: Add gettext xenial apt repository
   apt_repository:
-    repo: deb http://archive.ubuntu.com/ubuntu/ zesty main
+    repo: deb http://archive.ubuntu.com/ubuntu/ xenial main
     state: present
     update_cache: yes
   tags:
@@ -18,11 +18,10 @@
   tags:
     - apt
 
-- name: Remove gettext zesty apt repository
+- name: Remove gettext xenial apt repository
   apt_repository:
-    repo: deb http://archive.ubuntu.com/ubuntu/ zesty main
+    repo: deb http://archive.ubuntu.com/ubuntu/ xenial main
     state: absent
     update_cache: yes
   tags:
     - apt
-
diff --git a/securedrop/Dockerfile b/securedrop/Dockerfile
index d579da5ebf9..909b40342fa 100644
--- a/securedrop/Dockerfile
+++ b/securedrop/Dockerfile
@@ -23,10 +23,10 @@ RUN curl -LO https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa/
 #
 # This can be removed when upgrading to something more recent than trusty
 #
-RUN echo deb http://archive.ubuntu.com/ubuntu/ zesty main > /etc/apt/sources.list.d/zesty.list
+RUN echo deb http://archive.ubuntu.com/ubuntu/ xenial main > /etc/apt/sources.list.d/xenial.list
 RUN apt-get update
 RUN apt-get install -y gettext
-RUN rm /etc/apt/sources.list.d/zesty.list
+RUN rm /etc/apt/sources.list.d/xenial.list
 RUN apt-get update
 
 COPY requirements requirements

From 55dfaa5da5b2f9078f05bfb631588480ccef5e80 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Thu, 4 Jan 2018 15:35:14 -0800
Subject: [PATCH 33/51] Remove Travis CI and run pages-layout tests on Circle
 CI

(cherry picked from commit bd485939c869fc845e5971795656a6fba122c943)
---
 .travis.yml                       | 54 -------------------------------
 molecule/aws/scripts/app-tests.sh |  6 +++-
 2 files changed, 5 insertions(+), 55 deletions(-)
 delete mode 100644 .travis.yml

diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index bad341d0792..00000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,54 +0,0 @@
----
-# Use Ubuntu 14.04 LTS images, and explicitly require sudo.
-# Relevant docs: https://docs.travis-ci.com/user/trusty-ci-environment/
-sudo: required
-dist: trusty
-# Pin older version of Firefox, for Selenium compatibility. Must match version
-# specified in app-test role vars!
-addons:
-  firefox: 46.0.1
-
-# Setting language=generic to prevent Travis from setting up a virtualenv.
-# Using a virtualenv conflicts with the global pip installation currently
-# used for configuring SecureDrop, both in development and staging.
-language: generic
-
-before_install:
-  - 'for e in /.packer-env/*; do echo -n "${e}: "; cat "${e}"; done'
-  # Removes Travis-specific PATH customizations that affect Python.
-  - export PATH="$(echo $PATH | tr ':' "\n" | sed '/\/opt\/python/d' | tr "\n" ":" | sed "s|::|:|g")"
-  - printenv | sort # dump Travis environment for debugging
-  - pip freeze -l
-install:
-  # Installing Python dependencies globally, to match SecureDrop deployment.
-  - sudo -H pip install -r securedrop/requirements/develop-requirements.txt
-  # Run linting early, to fail fast.
-  - make --keep-going lint
-  # Using YAML folding operator '>' to aid in readability and avoid
-  # extremely long lines.
-  - >
-      printf
-      "[development]\nlocalhost ansible_connection=local\n[travis]\nlocalhost"
-      > inventory
-  - >
-      ansible-playbook -i inventory -vv --syntax-check
-      install_files/ansible-base/securedrop-development.yml
-  - >
-      ansible-playbook -i inventory -vv --connection=local
-      install_files/ansible-base/securedrop-development.yml
-script:
-  # For some reason, redis-server does not start automatically when installed
-  # on Travis. I believe Travis' service machinery may be interfering. See
-  # http://docs.travis-ci.com/user/database-setup/#Redis
-  - sudo service redis-server start
-  # The `cd securedrop` is necessary for coverage support. Remove it below
-  # once #2246 is resolved.
-  # --pages-layout are created for selected languages only because they
-  # are time consuming.
-  # * en_US: source strings
-  # * fr_FR: left-to-right translations
-  - sh -c "export DISPLAY=:1 ; cd securedrop && PAGE_LAYOUT_LOCALES='en_US,fr_FR' pytest -v tests --page-layout"
-  - pip freeze -l
-  - SECUREDROP_TESTINFRA_TARGET_HOST=travis testinfra -v testinfra/development/
-after_success:
-  cd securedrop/
diff --git a/molecule/aws/scripts/app-tests.sh b/molecule/aws/scripts/app-tests.sh
index 3485ded9e6f..f56548a8583 100644
--- a/molecule/aws/scripts/app-tests.sh
+++ b/molecule/aws/scripts/app-tests.sh
@@ -6,4 +6,8 @@ export DISPLAY=:1
 
 cd "$1" || exit 1
 
-pytest --junit-xml=/tmp/apptest.xml --junit-prefix=apptest tests/
+# --pages-layout are created for selected languages only because they
+# are time consuming.
+# * en_US: source strings
+# * fr_FR: left-to-right translations
+PAGE_LAYOUT_LOCALES='en_US,fr_FR' pytest --pages-layout --junit-xml=/tmp/apptest.xml --junit-prefix=apptest tests/

From 71305939071f61a6a53a3ed6ca644f82410ec823 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Thu, 4 Jan 2018 16:17:09 -0800
Subject: [PATCH 34/51] Docs: Remove Travis CI from developer documentation.

(cherry picked from commit 27eeb61f4b7c09f5311f26e6ed8564c06edb61d9)
---
 docs/development/contributor_guidelines.rst   |  6 +++---
 .../testing_continuous_integration.rst        | 21 +++++--------------
 2 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/docs/development/contributor_guidelines.rst b/docs/development/contributor_guidelines.rst
index 63a8dc87eb1..a0ee5357ed6 100644
--- a/docs/development/contributor_guidelines.rst
+++ b/docs/development/contributor_guidelines.rst
@@ -21,7 +21,7 @@ requests to ``develop``.
 Automated Testing
 -----------------
 
-When a pull request is submitted, we have Travis CI automatically run the
+When a pull request is submitted, we have Circle CI automatically run the
 SecureDrop test suites, which consist of:
 
   #. Unit tests of the Python SecureDrop application code.
@@ -126,8 +126,8 @@ such as the right to push new branches or to merge pull
 requests. There is no formal process at the moment but the general
 idea is that any contributor with the right technical and social
 skills is entitled to ask. The people who have the power to grant such
-privileges are commited to do so in a transparent way to avoid any
-dispute.
+privileges are committed to do so in a transparent way to avoid any
+disputes.
 
 Other Tips
 ----------
diff --git a/docs/development/testing_continuous_integration.rst b/docs/development/testing_continuous_integration.rst
index b143a56fc79..914ed273b54 100644
--- a/docs/development/testing_continuous_integration.rst
+++ b/docs/development/testing_continuous_integration.rst
@@ -3,23 +3,10 @@
 Testing: CI
 ===========
 
-The SecureDrop project uses multiple automated third-party solutions
-for running automated test suites on code changes:
+The SecureDrop project uses CircleCI_ for running automated test suites on code changes:
 
-  * Travis_
-  * CircleCI_
-
-.. _Travis: https://travis-ci.org/freedomofpress/securedrop/
 .. _CircleCI: http://circleci.com/gh/freedomofpress/securedrop/
 
-Travis tests
-------------
-
-The Travis_ test suite provisions the development VM and runs the application
-test suite against the latest version of the code. It also performs basic
-linting and validation, e.g. checking for mistakes in the Sphinx documentation
-(see :doc:`documentation_guidelines`).
-
 CI test layout
 --------------
 
@@ -29,10 +16,9 @@ The relevant files for configuring the CI tests are: ::
     ├── devops
     │   ├── inventory <-- environment specific inventory
     │   ├── playbooks <-- playbooks to start CI boxes
-    │   ├── scripts   <-- shell wrapper scripts 
+    │   ├── scripts   <-- shell wrapper scripts
     │   ├── templates <-- contains templates for ansible tasks
     │   └── vars <-- environment specific variables
-    ├── .travis.yml  <--- config for development tests on travis
     └── Makefile  <-- defines make task shortcuts
 
 The files under ``devops/`` are used to create a minimized staging environment
@@ -46,6 +32,9 @@ The staging environment tests will run automatically in CircleCI,
 when changes are submitted by Freedom of the Press Foundation staff
 (i.e. members of the ``freedomofpress`` GitHub organization).
 
+It also performs basic linting and validation, e.g. checking for mistakes in
+the Sphinx documentation.
+
 .. tip:: You will need an Amazon Web Services EC2 account to proceed.
          See the `AWS Getting Started Guide`_ for detailed instructions.
 

From b8587362257efd492d9193f8d1b5a55cc8af1bc8 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Fri, 5 Jan 2018 17:16:24 -0500
Subject: [PATCH 35/51] CI - Break-out test XML cleanup/merge from script

Currently the cleanup and merging (combining app and testinfra results)
of junit files is attached to the testinfra runner script. This is
problematic because if the testinfra process dies unexpectedly, we wont
have any results from the app tests as well.

(cherry picked from commit 323d93278b63eb39ddc47dac3018ac978eb58b5e)
---
 molecule/aws/scripts/ci-tester.sh |  6 ------
 molecule/aws/side_effect.yml      | 31 +++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/molecule/aws/scripts/ci-tester.sh b/molecule/aws/scripts/ci-tester.sh
index b961102c626..0808956dfc1 100755
--- a/molecule/aws/scripts/ci-tester.sh
+++ b/molecule/aws/scripts/ci-tester.sh
@@ -14,10 +14,4 @@ if [ "$?" == "0" ]; then
     esac
 fi
 
-# Remove any existing result files
-rm -r "./junit" || true
-mkdir "./junit" || true
-
-./testinfra/combine-junit.py ./*results.xml > "./junit/junit.xml"
-
 if [ "${TEST_FAIL}" == "true" ]; then exit 1; fi
diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index e00e8c56760..6f94500f657 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -10,6 +10,30 @@
     - include: reboot_and_wait.yml
       when: "false"
 
+- name: Setup junit env first
+  hosts: localhost
+  gather_facts: false
+  become: no
+  tasks:
+    - name: Ensure test folder(s) exists
+      file:
+        state: directory
+        path: "../../{{ item }}"
+      with_items:
+        - junit
+
+    - name: Dig out existing junit test results
+      find:
+        paths: "{{ (playbook_dir+'/../../junit')|realpath }}"
+        patterns: "*.xml"
+      register: find_junit_results
+
+    - name: Ensure existing junit files are purged
+      file:
+        state: absent
+        path: "{{ item.path }}"
+      with_items: "{{ find_junit_results.files }}"
+
 - name: Run application test suite in CI.
   hosts: "app-{{ ci_env }}"
   become: yes
@@ -44,6 +68,13 @@
       ignore_errors: true
       no_log: true
 
+    - name: Combine tests for export
+      shell: ./testinfra/combine-junit.py ./*results.xml > ./junit/junit.xml
+      args:
+        chdir: ../../
+      delegate_to: localhost
+      become: no
+
     - fail:
       when: app_test_register|failed or testinfra_results|failed
   vars:

From 652b2742584ad2cdc313423dca3b505af3edcab6 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Fri, 5 Jan 2018 17:18:25 -0500
Subject: [PATCH 36/51] Dump raw application and testinfra output in CI

Ensure developers are able to access raw test runner results for
debugging.

(cherry picked from commit d50519f238cf7bdff18ecfa0ee83b2b0cb2e319b)
---
 .circleci/config.yml         |  3 +++
 .gitignore                   |  1 +
 molecule/aws/side_effect.yml | 14 ++++++++++++++
 3 files changed, 18 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2483877aca0..bc7cb49c809 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -122,6 +122,9 @@ jobs:
       - store_artifacts:
           path: /root/sd/junit
 
+      - store_artifacts:
+          path: /root/sd/raw-test-output
+
 workflows:
   version: 2
   securedrop_ci:
diff --git a/.gitignore b/.gitignore
index 1fb6e04eed5..acad13f80d9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -130,6 +130,7 @@ securedrop/static/.webassets-cache
 
 # Skip over CI junit files
 junit/
+raw-test-output/
 *results.xml
 
 # Virtualenv on tails
diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index 6f94500f657..4fae7dd03fe 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -21,6 +21,7 @@
         path: "../../{{ item }}"
       with_items:
         - junit
+        - raw-test-output
 
     - name: Dig out existing junit test results
       find:
@@ -68,6 +69,19 @@
       ignore_errors: true
       no_log: true
 
+    - name: Dump raw test output
+      copy:
+        dest: "../../raw-test-output/{{item.type}}_tests.raw"
+        content: "{{ item.result }}"
+      with_items:
+        - type: app
+          result: "{{ app_test_register }}"
+        - type: testinfra
+          result: "{{ testinfra_results }}"
+      become: no
+      no_log: true
+      delegate_to: localhost
+
     - name: Combine tests for export
       shell: ./testinfra/combine-junit.py ./*results.xml > ./junit/junit.xml
       args:

From 54cdbb166198757560ce9bac02b19ef58d55f573 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Fri, 5 Jan 2018 18:36:05 -0500
Subject: [PATCH 37/51] CI - Add app/testinfra results into combinedf junit

In english, this should make it much simpler for a developer to get
status in CircleCI when either the testinfra or application tests fail
at an execution level. Previously this data was hard to parse and/or
required manually reading thru an artifact.

Fixes #2800

(cherry picked from commit 39f2d827beb1a6b48b5c842eee2a0fbaebcc7040)
---
 molecule/aws/side_effect.yml        | 25 ++++++++++++++++++++-----
 molecule/aws/templates/junit.xml.j2 |  8 ++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 molecule/aws/templates/junit.xml.j2

diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index 4fae7dd03fe..240771101a2 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -69,15 +69,30 @@
       ignore_errors: true
       no_log: true
 
+    - name: Establish list of raw test results
+      set_fact:
+        raw_test_results:
+          - type: app
+            file: scripts/app-tests.sh
+            result: "{{ app_test_register }}"
+          - type: testinfra
+            file: scripts/ci-tester.sh
+            result: "{{ testinfra_results }}"
+
     - name: Dump raw test output
       copy:
         dest: "../../raw-test-output/{{item.type}}_tests.raw"
         content: "{{ item.result }}"
-      with_items:
-        - type: app
-          result: "{{ app_test_register }}"
-        - type: testinfra
-          result: "{{ testinfra_results }}"
+      with_items: "{{ raw_test_results }}"
+      no_log: true
+      become: no
+      delegate_to: localhost
+
+    - name: Dump results into junit files
+      template:
+        src: junit.xml.j2
+        dest: "../../{{ item.type }}-results.xml"
+      with_items: "{{ raw_test_results }}"
       become: no
       no_log: true
       delegate_to: localhost
diff --git a/molecule/aws/templates/junit.xml.j2 b/molecule/aws/templates/junit.xml.j2
new file mode 100644
index 00000000000..448b2a83da4
--- /dev/null
+++ b/molecule/aws/templates/junit.xml.j2
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<testsuite errors="0" failures="{% if item.result|failed %}1{% else %}0{% endif %}" name="ansible" tests="1" time="0">
+<testcase classname="high-level-test-runner-result" file="{{ item.file }}" name="{{ item.type }}" time="0">
+<system-out>{{ item.result.stdout|striptags }}</system-out>
+<system-err>{{ item.result.stderr|striptags }}</system-err>
+{% if item.result|failed %}<failure message="{{ item.type }} runner failed during execution phase"></failure>{% endif %}
+</testcase>
+</testsuite>

From bdf075d331f3e2c5c9eed9c83e23c03a5fcf7948 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Fri, 5 Jan 2018 19:48:57 -0500
Subject: [PATCH 38/51] CI - also dump raw artifacts in test-with-rebase

forgot about this scenario in my previous commit :|

(cherry picked from commit 5e17d181502cd0c7dacb3a3b872548be59d9e6b6)
---
 .circleci/config.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index bc7cb49c809..06e4df7c39d 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -84,7 +84,6 @@ jobs:
           FPF_CI: true
           CI_SD_ENV: staging
           CI_AWS_TYPE: t2.medium
-          CI_AWS_REGION: us-west-2
           FPF_GRSEC: false
           TEST_REPORTS: /root/sd
     working_directory: ~/sd

From d2e1ed491bd983b5c98a81e7d6654fcd12196661 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Fri, 5 Jan 2018 19:49:11 -0500
Subject: [PATCH 39/51] CI - Potential fix for Circle to parse errors

I suspect that circleci wants an <error> tag instead of a <failure> one
to properly register a test as failing in the UI. We shall see.

(cherry picked from commit f7ee43f33b350b4ba672aa3ae4e2d067fe820195)
---
 molecule/aws/templates/junit.xml.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/molecule/aws/templates/junit.xml.j2 b/molecule/aws/templates/junit.xml.j2
index 448b2a83da4..ac1442ccebf 100644
--- a/molecule/aws/templates/junit.xml.j2
+++ b/molecule/aws/templates/junit.xml.j2
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
-<testsuite errors="0" failures="{% if item.result|failed %}1{% else %}0{% endif %}" name="ansible" tests="1" time="0">
-<testcase classname="high-level-test-runner-result" file="{{ item.file }}" name="{{ item.type }}" time="0">
+<testsuite failures="0" errors="{% if item.result|failed %}1{% else %}0{% endif %}" name="ansible" tests="1" time="0">
+<testcase classname="high-level-test-runner-result" file="{{ item.file }}" line="1" name="{{ item.type }}" time="0">
 <system-out>{{ item.result.stdout|striptags }}</system-out>
 <system-err>{{ item.result.stderr|striptags }}</system-err>
-{% if item.result|failed %}<failure message="{{ item.type }} runner failed during execution phase"></failure>{% endif %}
+{% if item.result|failed %}<error message="{{ item.type }} runner failed during execution phase">{{ item.result.stderr|striptags }}</error>{% endif %}
 </testcase>
 </testsuite>

From a5272d0ab80cf6d4b49cefeb3c05d56c4b0bd9c6 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 8 Jan 2018 11:20:43 -0800
Subject: [PATCH 40/51] Fix syntax on application tests pytest command

(cherry picked from commit 3e3e41701db1f5ff6d61f61b70de5fc7dd0a3950)
---
 molecule/aws/scripts/app-tests.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/molecule/aws/scripts/app-tests.sh b/molecule/aws/scripts/app-tests.sh
index f56548a8583..eb18021e8b7 100644
--- a/molecule/aws/scripts/app-tests.sh
+++ b/molecule/aws/scripts/app-tests.sh
@@ -6,8 +6,8 @@ export DISPLAY=:1
 
 cd "$1" || exit 1
 
-# --pages-layout are created for selected languages only because they
+# --page-layout are created for selected languages only because they
 # are time consuming.
 # * en_US: source strings
 # * fr_FR: left-to-right translations
-PAGE_LAYOUT_LOCALES='en_US,fr_FR' pytest --pages-layout --junit-xml=/tmp/apptest.xml --junit-prefix=apptest tests/
+PAGE_LAYOUT_LOCALES='en_US,fr_FR' pytest --page-layout --junit-xml=/tmp/apptest.xml --junit-prefix=apptest tests/

From afa4a291d1c104b132eb4b9b1f1687c4527a0512 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Wed, 17 Jan 2018 13:52:45 -0500
Subject: [PATCH 41/51] CI - Temporarily skip junit for test script calls

This is failing on the parsing script in CI. Needs to be investigated
and tweaked further before re-introduction.

(cherry picked from commit 565b20b94b373933d47c211e0931b2ac0a025777)
---
 molecule/aws/side_effect.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index 240771101a2..bd5c3683e36 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -94,6 +94,10 @@
         dest: "../../{{ item.type }}-results.xml"
       with_items: "{{ raw_test_results }}"
       become: no
+      # THIS NEEDS TO BE SKIPPED FOR THE TIME BEING.
+      # CAUSING PARSING FAILURES ON TEST COMBINE
+      # See pull/2796
+      when: false
       no_log: true
       delegate_to: localhost
 

From c4114d56e337c10e1804b1d4815c81eea08b4073 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <m.sheiny@gmail.com>
Date: Wed, 17 Jan 2018 15:49:20 -0500
Subject: [PATCH 42/51] Merge pull request #2886 from
 freedomofpress/use-xenial-gettext

Use Xenial to install gettext 0.19.*

(cherry picked from commit cd608b87c39b25f998196d907218cda417dfaeb5)

Conflicts:
	securedrop/Dockerfile

Favored master in conflict resolution

From 03ecd34472636df2564faba89d170271e9e8e787 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 25 Jan 2018 15:56:33 -0800
Subject: [PATCH 43/51] Fixes broken ansible-config tests

The tests weren't flake8 compliant, which CI did not catch. There were
two separate tests identically named, so one got clobbered and
effectively we weren't testing both required attributes.

The test file now *does* pass flake8, which I confirmed via manual
invocation against it. Opened a separate issue, #2933, to track
improving CI to avoid this problem in the future.

(cherry picked from commit 69668db6ec78093591cb688c955cbcbe5a2bdeaf)
---
 molecule/ansible-config/tests/test_max_fail_percentage.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/molecule/ansible-config/tests/test_max_fail_percentage.py b/molecule/ansible-config/tests/test_max_fail_percentage.py
index 6b57a43589e..95a625a52bc 100644
--- a/molecule/ansible-config/tests/test_max_fail_percentage.py
+++ b/molecule/ansible-config/tests/test_max_fail_percentage.py
@@ -64,7 +64,7 @@ def test_max_fail_percentage(host, playbook):
 
 
 @pytest.mark.parametrize('playbook', find_ansible_playbooks())
-def test_max_fail_percentage(host, playbook):
+def test_any_errors_fatal(host, playbook):
     """
     All SecureDrop playbooks should set `any_errors_fatal` to "yes"
     on each and every play. In conjunction with `max_fail_percentage` set

From ac500524737151178e64cfba4755fc0cbc25fc55 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 25 Jan 2018 15:59:41 -0800
Subject: [PATCH 44/51] Reimplements Ansible fail-fast playbook options

Two options are required to ensure fail-fast behavior from Ansible:

  * max_fail_percentage=0
  * any_errors_fatal=yes

See #2885 for details. During merge of #2922, due to closely related
changes to playbook "play" blocks in #2748, the options were removed as
they landed in the "develop" branch. Here they are re-added, and the
`make ansible-config-lint` target is happy again.

(cherry picked from commit 91dbc081f0ff9bdf35d9a7c8c2840009d564d7ff)
---
 install_files/ansible-base/securedrop-prod.yml    | 2 ++
 install_files/ansible-base/securedrop-staging.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index abdb68f5f01..a8f3fefc169 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -21,6 +21,8 @@
 
 - name: Configure OSSEC.
   hosts: securedrop
+  max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - role: ossec
       tags: ossec
diff --git a/install_files/ansible-base/securedrop-staging.yml b/install_files/ansible-base/securedrop-staging.yml
index f5c251d2b95..8e4464423f0 100755
--- a/install_files/ansible-base/securedrop-staging.yml
+++ b/install_files/ansible-base/securedrop-staging.yml
@@ -37,6 +37,8 @@
 
 - name: Configure OSSEC.
   hosts: staging
+  max_fail_percentage: 0
+  any_errors_fatal: yes
   roles:
     - role: ossec
       tags: ossec

From f898877f7d4e5fef664fa489b8f1407543ab571a Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Mon, 29 Jan 2018 18:56:46 +0000
Subject: [PATCH 45/51] SecureDrop 0.5.2~rc1

---
 changelog.md                                           | 10 ++++++++++
 docs/conf.py                                           |  4 ++--
 docs/set_up_admin_tails.rst                            |  4 ++--
 install_files/ansible-base/group_vars/all/securedrop   |  2 +-
 install_files/securedrop-app-code/DEBIAN/control       |  2 +-
 .../usr/share/doc/securedrop-app-code/changelog.Debian |  6 ++++++
 install_files/securedrop-config/DEBIAN/control         |  2 +-
 install_files/securedrop-keyring/DEBIAN/control        |  2 +-
 install_files/securedrop-ossec-agent/DEBIAN/control    |  2 +-
 install_files/securedrop-ossec-server/DEBIAN/control   |  2 +-
 molecule/builder/tests/vars.yml                        |  2 +-
 securedrop/version.py                                  |  2 +-
 12 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/changelog.md b/changelog.md
index f306dcfe537..5817aca4686 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.5.2~rc1
+
+* Replace PyCrypto (#2903).
+* Use `max_fail_percentage` to force immediate Ansible exits in playbook runs (#2922).
+* Bugfix: Dynamically allocate firewall during OSSEC registration (#2748).
+* Bugfix: Add all languages to sdconfig prompt (#2935).
+
+The issues for this release were tracked in the 0.5.2 milestone on Github:
+https://github.com/freedomofpress/securedrop/milestone/41
+
 ## 0.5.1
 
 ### Web Applications
diff --git a/docs/conf.py b/docs/conf.py
index 74d8e3f535b..de6b2dea5c3 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -59,9 +59,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.5.1'
+version = '0.5.2~rc1'
 # The full version, including alpha/beta/rc tags.
-release = '0.5.1'
+release = '0.5.2~rc1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
index 2312584cd2c..5ccdc35079c 100644
--- a/docs/set_up_admin_tails.rst
+++ b/docs/set_up_admin_tails.rst
@@ -107,8 +107,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.5.1
-    git tag -v 0.5.1
+    git checkout 0.5.2~rc1
+    git tag -v 0.5.2~rc1
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index d8f5a30d96b..86931803971 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml host_vars/development.yml
-securedrop_app_code_version: "0.5.1"
+securedrop_app_code_version: "0.5.2~rc1"
 
 grsecurity: true
 install_local_packages: false
diff --git a/install_files/securedrop-app-code/DEBIAN/control b/install_files/securedrop-app-code/DEBIAN/control
index f6619f8ab31..9aded335ec8 100644
--- a/install_files/securedrop-app-code/DEBIAN/control
+++ b/install_files/securedrop-app-code/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-app-code
-Version: 0.5.1
+Version: 0.5.2~rc1
 Architecture: amd64
 Depends: python-pip,apparmor-utils,gnupg2,haveged,python,python-pip,secure-delete,sqlite,apache2-mpm-worker,libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config
 Description: Packages the SecureDrop application code pip dependencies and apparmor profiles. This package will put the apparmor profiles in enforce mode. This package does use pip to install the pip wheelhouse
diff --git a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
index 5a49af6abff..2048af8a464 100644
--- a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
+++ b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
@@ -1,3 +1,9 @@
+securedrop-app-code (0.5.2~rc1) trusty; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 29 Jan 2018 18:56:38 +0000
+
 securedrop-app-code (0.5.1) trusty; urgency=medium
 
   * See changelog.md
diff --git a/install_files/securedrop-config/DEBIAN/control b/install_files/securedrop-config/DEBIAN/control
index 384cd708e9f..9adbd86ad64 100644
--- a/install_files/securedrop-config/DEBIAN/control
+++ b/install_files/securedrop-config/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.0+0.5.1
+Version: 0.1.0+0.5.2~rc1
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
diff --git a/install_files/securedrop-keyring/DEBIAN/control b/install_files/securedrop-keyring/DEBIAN/control
index e44e3d3224c..bf0d88ee49f 100644
--- a/install_files/securedrop-keyring/DEBIAN/control
+++ b/install_files/securedrop-keyring/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.1+0.5.1
+Version: 0.1.1+0.5.2~rc1
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index 3594cccec26..ccfa252002c 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.5.1
+Version: 2.8.2+0.5.2~rc1
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index 86e7338357b..a1fdbb3501c 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.5.1
+Version: 2.8.2+0.5.2~rc1
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring,securedrop-config
 Replaces: ossec-server
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index 850d13788cb..0476acc2137 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -1,5 +1,5 @@
 ---
-securedrop_version: "0.5.1"
+securedrop_version: "0.5.2~rc1"
 ossec_version: "2.8.2"
 keyring_version: "0.1.1"
 config_version: "0.1.0"
diff --git a/securedrop/version.py b/securedrop/version.py
index 93b60a1dcce..ead11ce08ac 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = '0.5.1'
+__version__ = '0.5.2~rc1'

From 732c8dad1f0d2e83d3a1bae109ada42f351701bb Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Fri, 26 Jan 2018 16:06:34 -0500
Subject: [PATCH 46/51] CI - build for tor-apt-test in release branches

This is useful for the QA process during a run-up to a release.
---
 molecule/aws/securedrop_test.pub    | 30 +++++++++++++++++++++++++++++
 molecule/aws/side_effect.yml        |  8 ++++++++
 molecule/aws/tor_apt_test.yml       | 18 +++++++++++++++++
 testinfra/common/test_tor_mirror.py |  3 +++
 4 files changed, 59 insertions(+)
 create mode 100644 molecule/aws/securedrop_test.pub
 create mode 100644 molecule/aws/tor_apt_test.yml

diff --git a/molecule/aws/securedrop_test.pub b/molecule/aws/securedrop_test.pub
new file mode 100644
index 00000000000..2fa2b65fe84
--- /dev/null
+++ b/molecule/aws/securedrop_test.pub
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhPGZsBCACzn00s3+i5HdGIldDGYXxY2HKL9Qhk0DhiRrNPaQemhNijuFlC
+geCeKN/smDAUyM5mfEoxmWy3V7n8SEQUpqI4dIS2AohReLkyKEKiIpTuXW7F9kO3
+vcXHgrTka+8B4ZQxDuTHNFJLmBwJnP24LrL6BzkDIUNeQFwM0EFTDOJlW1QV6qkm
+9WGizo2sR0VBJJabfRWrTWd8llYOVcc+LptErVNADPaX6iqb+QnZVJ/nYmCTgABj
+lD3aZ4EPZ+ioVOcOxbgBkAX76COObUUw/XahBGwj4fJ5kyzvDSBCHHlRzN39LKpM
+Y+HfSc1scAOWN+Dd0N/joIa0j0U4SGHo1NdzABEBAAG0MVNlY3VyZURyb3AgVEVT
+VElORyBrZXkgPHNlY3VyZWRyb3BAZnJlZWRvbS5wcmVzcz6JAU4EEwEIADgWIQRO
+15zDNi19EoNwRgJKO+SpIhGwPAUCWE8ZmwIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAKCRBKO+SpIhGwPCb9B/9SuVoxbe3nLlU0bHDQtoq5P7adyTZK+5gKIiAo
+mtAkc/EuiF6jYIDLo+DBB1GBJVjyD5igTt14XR3JpMe6nLtztD5zgGk47gYQk3y5
+6f5ydd7zRo9OxulRYDvU1mXMUc0EmqfzuSxY55HJy5KQvjeKIU0fTvwbPYXdhFCC
+42iyBIkp4e4/C5oO4lNrNY2DJEZ+a8H5LHasJ4g9A78f/D5q0HWO1HutzfDeiMvq
+WFwlGMD2OzTEQA2MGlVRIYvLHAG1aV9fXY8kjCFT8ri5hxlQeTkKISfbW3pFSq6s
+Ow4r975zWLTPJNm+WTbBpfIOFBVAW34EHkcb/QmntlvqkNM+uQENBFhPGZsBCAC4
+VEtCQEuZ3WzCNL/0yQFih1EjT/AsS3j3++xvSOYWF+c7AjR9X0MkJFTnUZBHs6MX
+PM33bbkWbBBE2ILdDCEF72Uc5HyyC2lW2DvPY9ZLVSGcMCUsKARv5rbeNdgiLVP5
+8AMkmG48q0Pxrr6UVX14M34Jm5G91c/dj9zHtVwkLg4RG/rcumQdlpQhNmMycB2X
+lat48atmEkutfLEQizXIlgiCdNEpgfUBy/jZZcCOjwr8PUPmSUWjKOVMv6CSLx8K
+z2cP4We7tyq4qhc0cWjJOWOmJpu5tbmi6XEEWGaIJyN+POhHEcb0tI1rTJ88nrMb
+DI/NF/35kuWIIkADOb2vABEBAAGJATYEGAEIACAWIQRO15zDNi19EoNwRgJKO+Sp
+IhGwPAUCWE8ZmwIbDAAKCRBKO+SpIhGwPC3fB/0TfuScS718FiEcVRI3F2wBbzTQ
+VARhGzEvPSU5Z3Cur/EB8ihpWvwi39tUMeg5HTheDl/8A7f1QCjIFSVEr1slGNLh
+YFF07XGWhy837z6kiihK2z6/w6Q9QJqjE+QVZCKr97aIPejvEoHoslZTU5pJ52qF
+J7KQd1hEvVs00DxY6VlyK0FzXqByKYq6Arl2tzlCZ6RPEHKXV2xSP06jLEagzgYe
+DylVo9Xahenj4n/Mtq7Am6tGgU9Vy9cGbWNBdUND/mFQEEZSh9RJabPeluH12sir
+5/tfsDr4DGHSz7ws+5M6Zbk6oNJEwQZ4cR+81qCfXE5X5LW1KlAL8wDl7dfS
+=fYUi
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/molecule/aws/side_effect.yml b/molecule/aws/side_effect.yml
index bd5c3683e36..6c917dedad3 100755
--- a/molecule/aws/side_effect.yml
+++ b/molecule/aws/side_effect.yml
@@ -9,6 +9,14 @@
     # WHEN REINSTATING REBOOT
     - include: reboot_and_wait.yml
       when: "false"
+    - include: tor_apt_test.yml
+      when: (lookup('env','CIRCLE_BRANCH')|default('na')).startswith('release')
+  handlers:
+    - name: update tor
+      apt:
+        name: tor
+        state: latest
+        update_cache: yes
 
 - name: Setup junit env first
   hosts: localhost
diff --git a/molecule/aws/tor_apt_test.yml b/molecule/aws/tor_apt_test.yml
new file mode 100644
index 00000000000..03d9b06c492
--- /dev/null
+++ b/molecule/aws/tor_apt_test.yml
@@ -0,0 +1,18 @@
+---
+- name: Add apt SD test public key
+  apt_key:
+    data: "{{ lookup('file','securedrop_test.pub') }}"
+    state: present
+
+- name: Temporary fix for GH issue 2938
+  file:
+    state: absent
+    path: "/etc/apt/sources.list.d/tor_apt_freedom_press.list"
+
+- name: Switch apt repo URLs to staging.
+  replace:
+    dest: "/etc/apt/sources.list.d/tor.apt.freedom.press.list"
+    replace: "tor-apt-test.freedom.press"
+    regexp: '//tor-apt\.freedom\.press'
+  ignore_errors: "yes"
+  notify: update tor
diff --git a/testinfra/common/test_tor_mirror.py b/testinfra/common/test_tor_mirror.py
index 85c0c646e8b..498f1c4e130 100644
--- a/testinfra/common/test_tor_mirror.py
+++ b/testinfra/common/test_tor_mirror.py
@@ -1,6 +1,9 @@
+import os
 import pytest
 
 
+@pytest.mark.skipif(os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
+                    reason="Release branches will use tor-apt-test repo")
 def test_tor_mirror_present(host):
     """
     Ensure the FPF mirror of the Tor apt repo, tor-apt.freedom.press,

From 61f8a097092c184b737ecad492cca52159cd6c9f Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Fri, 26 Jan 2018 17:09:24 -0500
Subject: [PATCH 47/51] CI grab back tor_version string

Useful for debugging
---
 .circleci/config.yml          |  3 +++
 molecule/aws/tor_apt_test.yml | 17 +++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index c4760cdaf19..28c3e85fc07 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -124,6 +124,9 @@ jobs:
       - store_artifacts:
           path: /root/sd/raw-test-output
 
+      - store_artifacts:
+          path: ~/.tor_version
+
 workflows:
   version: 2
   securedrop_ci:
diff --git a/molecule/aws/tor_apt_test.yml b/molecule/aws/tor_apt_test.yml
index 03d9b06c492..4497fc6d489 100644
--- a/molecule/aws/tor_apt_test.yml
+++ b/molecule/aws/tor_apt_test.yml
@@ -16,3 +16,20 @@
     regexp: '//tor-apt\.freedom\.press'
   ignore_errors: "yes"
   notify: update tor
+
+- name: Force possible tor update
+  meta: flush_handlers
+
+- name: Extract latest tor version
+  shell: |
+    apt-cache policy tor | sed -e 's/^\s*Installed:\ \(\S*\)/\1/g;tx;d;:x'
+  changed_when: false
+  register: extract_tor_version
+
+- name: Dump Tor version to file (for reporting)
+  copy:
+    dest: "{{ playbook_dir }}/../../.tor_version"
+    content: "{{ extract_tor_version.stdout }}"
+  delegate_to: localhost
+  run_once: true
+  become: "no"

From 38fcffe9a3a3e267786939062cf0e513ec698101 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Fri, 26 Jan 2018 17:41:21 -0500
Subject: [PATCH 48/51] Address flake8 issues in testinfra skip logic

---
 testinfra/common/test_tor_mirror.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/testinfra/common/test_tor_mirror.py b/testinfra/common/test_tor_mirror.py
index 498f1c4e130..4d5b187a015 100644
--- a/testinfra/common/test_tor_mirror.py
+++ b/testinfra/common/test_tor_mirror.py
@@ -2,8 +2,9 @@
 import pytest
 
 
-@pytest.mark.skipif(os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
-                    reason="Release branches will use tor-apt-test repo")
+@pytest.mark.skipif(
+        os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
+        reason="Release branches will use tor-apt-test repo")
 def test_tor_mirror_present(host):
     """
     Ensure the FPF mirror of the Tor apt repo, tor-apt.freedom.press,

From 967f58f8118a750889e01d14b9b087539c3fcb96 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 30 Jan 2018 09:47:56 -0500
Subject: [PATCH 49/51] Add an apt safe-upgrade for tor apt testing

Not sure if this will solve an issue I'm seeing in CI :shrug:
---
 molecule/aws/tor_apt_test.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/molecule/aws/tor_apt_test.yml b/molecule/aws/tor_apt_test.yml
index 4497fc6d489..ad485cba469 100644
--- a/molecule/aws/tor_apt_test.yml
+++ b/molecule/aws/tor_apt_test.yml
@@ -20,6 +20,10 @@
 - name: Force possible tor update
   meta: flush_handlers
 
+- name: Squash testinfra failure for packages needing update
+  apt:
+    upgrade: safe
+
 - name: Extract latest tor version
   shell: |
     apt-cache policy tor | sed -e 's/^\s*Installed:\ \(\S*\)/\1/g;tx;d;:x'

From 1ddfba21e7e177cbd8a7206e6108918fb3d8c767 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 30 Jan 2018 09:57:54 -0500
Subject: [PATCH 50/51] Provide updated path for tor_version artifact

---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 28c3e85fc07..9b192dc056e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -125,7 +125,7 @@ jobs:
           path: /root/sd/raw-test-output
 
       - store_artifacts:
-          path: ~/.tor_version
+          path: /root/sd/.tor_version
 
 workflows:
   version: 2

From b2484519ad8b9fa127cb3ed95ae6c4fa08070d30 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Thu, 1 Feb 2018 21:14:45 +0000
Subject: [PATCH 51/51] SecureDrop 0.5.2

---
 changelog.md                                                  | 2 +-
 docs/conf.py                                                  | 4 ++--
 docs/set_up_admin_tails.rst                                   | 4 ++--
 install_files/ansible-base/group_vars/all/securedrop          | 2 +-
 install_files/securedrop-app-code/DEBIAN/control              | 2 +-
 .../usr/share/doc/securedrop-app-code/changelog.Debian        | 4 ++--
 install_files/securedrop-config/DEBIAN/control                | 2 +-
 install_files/securedrop-keyring/DEBIAN/control               | 2 +-
 install_files/securedrop-ossec-agent/DEBIAN/control           | 2 +-
 install_files/securedrop-ossec-server/DEBIAN/control          | 2 +-
 molecule/builder/tests/vars.yml                               | 2 +-
 securedrop/version.py                                         | 2 +-
 12 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/changelog.md b/changelog.md
index 5817aca4686..0941cc2382b 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## 0.5.2~rc1
+## 0.5.2
 
 * Replace PyCrypto (#2903).
 * Use `max_fail_percentage` to force immediate Ansible exits in playbook runs (#2922).
diff --git a/docs/conf.py b/docs/conf.py
index de6b2dea5c3..482cf625406 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -59,9 +59,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.5.2~rc1'
+version = '0.5.2'
 # The full version, including alpha/beta/rc tags.
-release = '0.5.2~rc1'
+release = '0.5.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
index 5ccdc35079c..c5cddbd154f 100644
--- a/docs/set_up_admin_tails.rst
+++ b/docs/set_up_admin_tails.rst
@@ -107,8 +107,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.5.2~rc1
-    git tag -v 0.5.2~rc1
+    git checkout 0.5.2
+    git tag -v 0.5.2
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 86931803971..f389f092d13 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml host_vars/development.yml
-securedrop_app_code_version: "0.5.2~rc1"
+securedrop_app_code_version: "0.5.2"
 
 grsecurity: true
 install_local_packages: false
diff --git a/install_files/securedrop-app-code/DEBIAN/control b/install_files/securedrop-app-code/DEBIAN/control
index 9aded335ec8..574cb13b5ba 100644
--- a/install_files/securedrop-app-code/DEBIAN/control
+++ b/install_files/securedrop-app-code/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-app-code
-Version: 0.5.2~rc1
+Version: 0.5.2
 Architecture: amd64
 Depends: python-pip,apparmor-utils,gnupg2,haveged,python,python-pip,secure-delete,sqlite,apache2-mpm-worker,libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config
 Description: Packages the SecureDrop application code pip dependencies and apparmor profiles. This package will put the apparmor profiles in enforce mode. This package does use pip to install the pip wheelhouse
diff --git a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
index 2048af8a464..35cb55f592a 100644
--- a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
+++ b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian
@@ -1,8 +1,8 @@
-securedrop-app-code (0.5.2~rc1) trusty; urgency=medium
+securedrop-app-code (0.5.2) trusty; urgency=medium
 
   * See changelog.md
 
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 29 Jan 2018 18:56:38 +0000
+ -- SecureDrop Team <securedrop@freedom.press>  Thu, 01 Feb 2018 21:14:12 +0000
 
 securedrop-app-code (0.5.1) trusty; urgency=medium
 
diff --git a/install_files/securedrop-config/DEBIAN/control b/install_files/securedrop-config/DEBIAN/control
index 9adbd86ad64..327ef26df41 100644
--- a/install_files/securedrop-config/DEBIAN/control
+++ b/install_files/securedrop-config/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.0+0.5.2~rc1
+Version: 0.1.0+0.5.2
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
diff --git a/install_files/securedrop-keyring/DEBIAN/control b/install_files/securedrop-keyring/DEBIAN/control
index bf0d88ee49f..250a5b3a311 100644
--- a/install_files/securedrop-keyring/DEBIAN/control
+++ b/install_files/securedrop-keyring/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.1+0.5.2~rc1
+Version: 0.1.1+0.5.2
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control b/install_files/securedrop-ossec-agent/DEBIAN/control
index ccfa252002c..3c9d99b3584 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.5.2~rc1
+Version: 2.8.2+0.5.2
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control b/install_files/securedrop-ossec-server/DEBIAN/control
index a1fdbb3501c..6791e3f16c8 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control
+++ b/install_files/securedrop-ossec-server/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.5.2~rc1
+Version: 2.8.2+0.5.2
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring,securedrop-config
 Replaces: ossec-server
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index 0476acc2137..c385c06eef7 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -1,5 +1,5 @@
 ---
-securedrop_version: "0.5.2~rc1"
+securedrop_version: "0.5.2"
 ossec_version: "2.8.2"
 keyring_version: "0.1.1"
 config_version: "0.1.0"
diff --git a/securedrop/version.py b/securedrop/version.py
index ead11ce08ac..45869b62262 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = '0.5.2~rc1'
+__version__ = '0.5.2'