Less Plone hotfix packages

Summary: Plone 5.2 and 6.0 are supported, but there probably will not be many security hotfix packages anymore with pre-announcements. Instead, individual packages will get security releases.

Traditionally, when there is a vulnerability in Plone, the Plone/Zope Security Team tries to create a hotfix package that you add to the eggs/packages of your site. The last such was in May 2021, with package Products.PloneHotfix20210518. Afterwards, the fixes would be ported to the packages that are affected, and these would end up in a new Plone bugfix release, where you no longer need the hotfix package.

We have sometimes skipped the hotfix package, and went with releasing new packages immediately. This was the case in January 2022 when we made new releases for plone.app.contenttypes and Products.ATContentTypes. In that case, the vulnerability was in a Page Template, which made our usual hotfix package approach not usable.

When the vulnerability is in Zope or one of its dependencies, it is also unlikely that there will be a hotfix package. Instead, you should update your Plone site to the new Zope. See for example the announcement earlier this month.

In the future this will happen more often: there will be no special hotfix packages, but there will be new releases for affected packages, for all supported branches.

Reasons:

  • Creating and testing a hotfix package on multiple Plone minor and bugfix versions and multiple Python versions, and then porting the changes to the affected packages, takes a long time.
  • There would usually be a pre-announcement with two weeks notice, so you have time to plan. This adds pressure on the security team: a fix needs to be ready at that time, also when last-minute problems are detected. Sometimes one person reports multiple vulnerabilities in one email, and preferably we would fix all reported issues at once. And if any new issues come in between the pre-announcement and the hotfix, we would ideally fix those as well. This again adds to the perceived pressure.
  • Hardly any software community does pre-announcements. Notable exceptions are Node and OpenSSL.
  • The security team is mostly volunteer work, on top of other busy tasks.

There is still room for hotfix packages, especially when there is a serious vulnerability that leaves most sites open to attack, or if a fix is needed in the main Products.CMFPlone package.

But if you remember only one thing from this post, let it be this: Plone 5.2 and 6.0 are still supported.

On behalf of the Plone/Zope Security Team,

Maurits van Rees

4 Likes