Getting Started with Weblate Translations

SecureDrop is a whistleblower submission system for media organizations to securely accept documents from and communicate with anonymous sources. For more information, you may be interested to:

SecureDrop uses the Weblate platform. This page lists detailed instructions for getting started with the Weblate platform as a translator. Before starting this guide, you should know which language you would like to translate.

Who Uses SecureDrop?

There are two kind of SecureDrop users: Sources and Journalists. A source is an individual who wants to communicate securely and anonymously with a journalist. Sources are not expected to be have any technical background. Journalists using SecureDrop have all received proper training and know what a PGP public key is, they understand the basic workflow of SecureDrop.

Register for Weblate

Login via GitHub for the First Time

If you already have a GitHub account, go to the Weblate registration page:

Weblate registration page screenshot

Click on the octocat icon and agree to login via GitHub.

GitHub authorization page screenshot

You will then be redirected to the Weblate dashboard.

Weblate dashboard screenshot

Register a Weblate Account

Go to the Weblate registration page

Weblate registration page screenshot

Fill the form and click Register and check your email for a message with the subject [Weblate] Your registration on Weblate containing a confirmation link from Confirming by clicking the first link will redirect you to the Weblate dashboard:

Weblate dashboard screenshot

Choose a Language

From your Weblate dashboard:

Weblate dashboard screenshot

Click the Watched translations menu and select Suggested translations:

Weblate suggested translations screenshot

And click the translate button to the right on the line that shows your native language:

Weblate translate button screenshot

Translate a Phrase

Each translatable string is shown in a Source box and you can translate it right below in the Translation text area. When you are done, click Save and the next untranslated string will appear.

Weblate translate screenshot

For most strings a contextual screenshot is available on the right side showing how it looks in the software. Click to see it in full size.

Weblate translate context screenshot

Instructions About a User Navigation

Strings also come with instructions, further explaining them, and detailing where they are to be found in the user interface of the software, in case you still aren’t sure. When doing so, also verify that the steps needed to find it are correct.:

...tap "Set up account"...

To find this, navigate to the localized interface of FreeOTP to get a firmer grasp of what it does, and then translate the string displayed in place of Set up account.


Strings may contain placeholders, seen as content in between braces: These pick in other names and functions of the software, and must be left unmodified, but they can be moved around in a string. For instance:

Edit user {user}

will be displayed to the user as:

Edit user Jean-Claude

The French translated string should look like:

Modifier l'utilisateur {user}

And it would be incorrect to translate the placeholder like so:

Modifier l'utilisateur {utilisateur}


Translated strings are not put into SecureDrop before they are also reviewed. This is to make sure the source or journalist will not be confused by an incorrect translation.

Anyone can contribute translations, just like anyone can edit Wikipedia. However the right to review translations, is only extended to trusted translators can. You can ask for your _translator_ status to be elevated to _reviewer_ by posting a message in the translation category of the SecureDrop forum.

A reviewer sees Waiting for review and Approved radio buttons next to strings, all of which are initially set to Waiting for review.

Waiting for review screenshot

When the translation is deemed correct, the reviewer should change it to Approved.

Approved screenshot

When in this state, only reviewers can modify the string. Translators can still suggest modifications if they notice something wrong, and comment if they disagree.

Not a reviewer screenshot


A glossary is available, explaining terms specific to SecureDrop. It is also important that key terms are understood and precisely translated.


Your adversary is the person or organization attempting to undermine your security goals. Adversaries can be different, depending on the situation. For instance, you may worry about criminals spying on the network of a cafe, or your classmates at a school. Often the adversary is hypothetical.

This definition is an edited version copied from the EFF glossary

Air gap

If there are no networked means of communicating with a computer you own, meaning a computer or a whole network is physically isolated from all other networks, including by its very nature the Internet, is said to be air-gapped.

This definition is an edited version copied from the EFF glossary


In terms of computer security, an attack is a method used to attempt compromising security, or just gaining access to its actual use. An attacker is the person or organization carrying out an attack. An attack method, something targeting a weakness in the security, is sometimes called an “exploit.”

This definition is an edited version copied from the EFF glossary

Command Line Tool (command)

The “command line” works by way of giving a computer a series of small, self-contained orders (think of those science fiction movies where teenage geniuses type long strings of green text onto black screens). To use a command line tool, the user types a command into a window called a terminal emulator, hits the return or enter key, and then receives a textual response in the same window. Windows, Linux|GNU and Apple desktop computers still let you run software using this interface, as is the case on some mobile phones if you install the right app. The command line can be used to run software pre-packaged with your operating system, or install new ones. Some downloadable programs, especially technical utilities, use the command line instead of a more familiar “icons and buttons” user interface. The command line needn’t be scary, but it does require you to type in exactly the right set of letters and numbers to get the correct result, and it’s often unclear what to do if the responses don’t match your expectations.

This definition is an edited version copied from the EFF glossary


The art of designing secret codes or ciphers that let you exchange messages with a recipient without others being able to understand the message.

This definition is an edited version copied from the EFF glossary


Make a secret message or data intelligible. The idea behind encryption is to make messages that can only be decrypted by the person or people meant to receive them.

This definition is an edited version copied from the EFF glossary


A process that takes a message and makes it unreadable except to a person who knows how to decrypt it back into a readable form.

This definition was copied from the EFF glossary

Encryption Key

An encryption key is a piece of information that is used to convert a message into an unreadable form. In some cases, you need the same encryption key to decode the message. In others, the encryption key and decryption key are different.

This definition was copied from the EFF glossary


The keys of public key cryptography are very large numbers, sometimes a thousand or more digits long. A fingerprint is a much smaller number or set of numbers and letters that can be used as a unique name for that key, without having to list all of the key’s digits. So, for instance, if you and a friend wished to make sure you both had the same key, you could either spend a long time reading off all the hundreds of digits in the key, or you could each calculate your key’s fingerprint and compare those instead. The fingerprints presented by cryptographic software usually consist of around 40 letters and numbers. If you carefully check that a fingerprint has the right value, you should be safe against impersonation using a fake key. Some software tools may offer more convenient alternative ways to verify a friend’s key, but some form of verification needs to happen to prevent communications providers from easily being able to listen in.

This definition was copied from the EFF glossary


If you’ve ever seen a web address spelled out as “”, you’ll recognize the “http” bit of this term. HTTP (hypertext transfer protocol) is the way a web browser on your machine talks to a remote web server. Unfortunately, standard http sends text insecurely across the Internet. HTTPS (the S stands for “secure”) uses encryption to better protect the data you send to websites, and the information they return to you, from prying eyes.

This definition was copied from the EFF glossary


In cryptography, a piece of data which gives you the capability to encrypt or decrypt a message.

This definition was copied from the EFF glossary


If you use public key cryptography, you’ll need to keep track of many keys: your secret, private key, your public key, and the public keys of everyone you communicate with. The collection of these keys is often referred to as your keyring.

This definition was copied from the EFF glossary

Man-in-the-Middle Attack (MITM)

Suppose you believe you were speaking to your friend, Bahram, via encrypted instant messager. To check it’s really him, you ask him to tell you the city where you first met. “Istanbul” comes the reply. That’s correct! Unfortunately, without you or Bahram knowing, someone else online has been intercepting all your communications. When you first connected to Bahram, you actually connected to this person, and she, in turn, connected to Bahram. When you think you are asking Bahram a question, she receives your message, relays the question to Bahram, receives his answer back , and then sends it to you. Even though you think you are communicating securely with Bahram, you are, in fact, only communicating securely with the spy, who is also communicating securely to Bahram! This is the man-in-the-middle attack. Men-in-the-middle can spy on communications or even insert false or misleading messages into your communications. Security-focused internet communications software needs to defend against the man-in-the-middle attack to be safe against attackers who have control of any part of the Internet between two communicators.

This definition was copied from the EFF glossary

Public Key Encryption

Traditional encryption systems use the same secret, or key, to encrypt and decrypt a message. So if I encrypted a file with the password “bluetonicmonster”, you would need both the file and the secret “bluetonicmonster” to decode it. Public key encryption uses two keys: one to encrypt, and another to decrypt. This has all kinds of useful consequences. For one, it means that you can hand out the key to encrypt messages to you, and as long as you keep the other key secret, anyone with that key can talk to you securely. The key you hand out widely is known as the “public key”: hence the name of the technique. Public key encryption is used to encrypt email and files by Pretty Good Privacy (PGP), OTR for instant messaging, and SSL/TLS for web browsing.

This definition was copied from the EFF glossary

Two-Factor Authentication

“Something you know, and something you have.” Login systems that require only a username and password risk being broken when someone else can obtain (or guess) those pieces of information. Services that offer two-factor authentication also require you to provide a separate confirmation that you are who you say you are. The second factor could be a one-off secret code, a number generated by a program running on a mobile device, or a device that you carry and that you can use to confirm who you are. Companies like banks, and major internet services like Google, PayPal and Twitter now offer two-factor authentication.

This definition is an edited version copied from the EFF glossary

Weblate Glossary

For each string to be translated, Weblate shows a glossary of terms and their translation to help unify their translations. For instance when translating Please wait for a new two-factor token before logging in again, Weblate notices the word two-factor is found in the glossary and displays the translation in the glossary to the right.

Weblate glossary show page screenshot

Before translating strings, it is recommended to add all terms in the SecureDrop localization glossary by clicking on the pen in the right corner of the glossary displayed with each translated string and then Add new word:

Weblate glossary add page screenshot

When all the terms are in the glossary, it is recommended to take another look at the full list of terms and verify there is no duplicate or other mistakes.

Weblate glossary list page screenshot


The terms copied from the EFF glossary already have a translation in a number of languages.

Getting Help

Should you need help, you can do one of the following:

Frequently Asked Questions

  • What if the language I want to translate is not on the list?

    You can send a request for a new language in the translation category of the SecureDrop forum. But please make sure the language you want is not already present.