[homakov]

There is account system too - journalists got passwords, sources got "code names"

Not huge, but much more complicated than it could be. For instance, it redefined CSRF protection in a weird way https://github.com/lepture/flask-wtf/blob/master/flask_wtf/c...

[samat]

Securedrop is used by NYT-level companies. I thought using it is a no-brainer for any news media. Now I am having doubts :((

[homakov]

Over complicated doesn't mean insecure, but the less code the better

[kough]

OT: homakov and tptacek in the same thread <3