Plone 4.3.20 soft released

Development
1

I have soft released Plone 4.3.20. Please give it a try and let me know if there are any critical issues: https://dist.plone.org/release/4.3.20-pending/versions.cfg.

For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production.

This will be the last ever release in the Plone 4.3 series! I feel oddly moved when I write this. The first 4.3 release was on 6 April 2013. Seven years ago. It feels strange to let this release go. But it is time to move on. It has been a great release series! Thanks a lot to everyone who helped shape 4.3 and who helped maintain it for all those years. We love you all!

I have a release checklist. Feel free to link possible breaking bugs there, or add a comment below.

2 Likes
2

The changelog compared to 4.3.19:

plone.recipe.alltests: 1.5.1 → 1.5.2

Bug fixes:

  • Minor packaging updates. (#1)

plone.app.robotframework: 1.2.3 → 1.2.4

Bug fixes:

  • Reverted change in 1.2.1 for 'Log in' keyword which failed in Plone 4.3.
    Fixes issue 107 <https://github.com/plone/plone.app.robotframework/issues/107>_.
    [maurits]

lxml: 4.2.1 → 4.2.6

Plone: 4.3.19 → 4.3.20

New features:

  • Release Plone 4.3.20.
    This will be the last release in the 4.3 series.
    See also the Plone release schedule <https://plone.org/download/release-schedule>_.
    [maurits]

Products.Archetypes: 1.9.20 → 1.9.21

Bug fixes:

  • textcount.js support for jquery>1.6.

    make it impossible to enter text longer than maxlimit
    by replacing maxlimit alert() with highlighting textcountfield.
    [vkarppinen] (#93)

Products.CMFPlone: 4.3.19 → 4.3.20rc1

Bug fixes:

  • Removed broken X-XSS-Protection header.
    [maurits] (#2964)

  • Merge Hotfix20200121: isURLInPortal could be tricked into accepting malicious links. (#3021)

  • Merge Hotfix20200121 Check of the strenth of password could be skipped. (#3021)

  • Depend on new package Products.isurlinportal.
    This contains the isURLInPortal method that was split off from our URLTool.
    See issue 3150 <https://github.com/plone/Products.CMFPlone/issues/3150>_.
    [maurits] (#3150)

  • Increased metadata version to 4322, to trigger Plone upgrade for Plone 4.3.20.
    This is the last release ever of the Plone 4.3.x line.
    See also the Plone release schedule <https://plone.org/download/release-schedule>_.
    [maurits] (#3166)

Products.GenericSetup: 1.8.10 → 1.8.11

Bug fixes:

  • Force saving unpersisted changes in toolset registry.
    Fixes issue 86 <https://github.com/zopefoundation/Products.GenericSetup/issues/86>_.

  • No longer test on Python 2.6.

Products.PloneLanguageTool: 3.2.9 → 3.2.10

Bug fixes:

  • Minor packaging updates. (#1)

Products.PluggableAuthService: 1.11.2 → 1.11.3

  • Add new events to be able to notify when a principal is added to
    or removed from a group. Notify these events when principals are
    added or removed to a group in ZODBGroupManager
    (#17 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/17>_)

Products.ZSQLMethods: 2.13.5 → 2.13.6

archetypes.referencebrowserwidget: 2.5.10 → 2.5.11

Bug fixes:

  • Minor packaging updates. [various] (#1)

collective.monkeypatcher: 1.2 → 1.2.1

Bug fixes:

  • Minor packaging updates. [various] (#1)

collective.z3cform.datetimewidget: 1.2.8 → 1.2.9

Bug fixes:

  • Removed compiled .mo files from repository.
    I will create a new release, which should still contain those, including the missing Dutch .mo file.
    [maurits]

plone.app.imaging: 1.0.13 → 1.0.14

Bug fixes:

  • Fix IOError: cannot write mode RGBA as JPEG on ImageField scale
    [avoinea]

plone.app.locales: 4.3.16 → 4.3.17

  • Backport new translations from Plone 5.2.
    [vincentfretin]

plone.app.querystring: 1.2.12 → 1.2.13

Bug fixes:

  • Integer criterions: try to convert all input to integers.
    Most notably this did not happen for unicode on Python 2.
    So a u"42" was passed as value to the catalog query, and this matched either all or nothing.
    [maurits] (#93)

plone.app.upgrade: 1.4.6 → 1.4.7

Bug fixes:

  • Added null upgrade step to 4322, the metadata version of Plone 4.3.20.
    [maurits] (#3166)

plone.alterego: 1.1.3 → 1.1.5

Bug fixes:

  • Minor packaging updates. (#1)

  • Minor packaging updates. [various] (#1)

plone.behavior: 1.3.0 → 1.3.2

Bug fixes:

  • Minor packaging updates. (#1)

  • Improved documentation. [jensens] (#0)

plone.contentrules: 2.0.9 → 2.0.10

Bug fixes:

  • Minor packaging updates. (#1)

plone.indexer: 1.0.6 → 1.0.7

Bug fixes:

  • Minor packaging updates. (#1)

plone.intelligenttext: 3.0.0 → 3.1.0

New features:

  • Drop Python 2.6 support from tests.
    Start testing on 3.7 and 3.8.
    [maurits] (#9)

plone.reload: 3.0.0 → 3.0.1

Bug fixes:

  • Minor packaging updates.

plone.subrequest: 1.8.6 → 1.8.7

Bug fixes:

  • Restored to 1.8.4 version. Kept only the optional Archetypes test dependency.
    Plone 4.3, 5,0 and 5.1 do not need the Python 3 and Zope 4 fixes, and may give errors.
    Plone 5.2 does not use this branch.
    Fixes issue 2995 <https://github.com/plone/Products.CMFPlone/issues/2995>_. [maurits]

plone.synchronize: 1.0.3 → 1.0.4

New features:

  • Drop Python 2.6 support.
    Support 2.7, 3.5-3.8, PyPy2/3.
    Added tox for local testing.
    [maurits] (#2)

plone.uuid: 1.0.5 → 1.0.6

Bug fixes:

  • Minor packaging updates. (#1)

plonetheme.classic: 1.5.0 → 1.5.1

Bug fixes:

  • Removed broken X-XSS-Protection header.
    Fixes issue 2964 <https://github.com/plone/Products.CMFPlone/issues/2964>_.
    [maurits]

z3c.autoinclude: 0.3.9 → 0.4.0

Breaking changes:

  • Drop support for Python 3.4.

New features:

  • When environment variable Z3C_AUTOINCLUDE_DEBUG is set,
    log which packages are being automatically included.
    Do this in a form that you can copy to a configure.zcml file.

  • Add support for Python 3.8.

collective.z3cform.datagridfield: 1.3.1 → 1.3.3

grokcore.component: 2.5 → 2.5.1

plone.app.contenttypes: 1.1.6 → 1.1.9

plone.app.event: 1.1.12 → 1.1.13

Bug fixes:

  • Fixed Spanish translations. [Corina Riba] (#0)

plone.app.lockingbehavior: 1.0.5 → 1.0.7

plone.app.referenceablebehavior: 0.7.7 → 0.7.8

Bug fixes:

  • Minor packaging updates. (#1)

plone.api: 1.10.0 → 1.10.2

Bug fixes:

  • Minor packaging updates. (#1)

  • Remove deprecation warnings [ale-rt] (#432)

  • In tests, use stronger password.
    [maurits] (#436)

  • Removed duplicate and failing inline doctest for content.find.
    [maurits] (#437)

plone.formwidget.autocomplete: 1.3.0 → 1.4.0

New features:

  • Add Plone 5 compatibility
    [laulaz]

plone.formwidget.contenttree: 1.1.0 → 1.2.0

New features:

  • Added Python 3 compatibility. [cekk]

plone.app.blocks: 4.3.0 → 4.3.2

3

On a higher level next to some obvious bug fixes and reverts to earlier versions, here are some highlights, also known as the release notes:

  • Integrated PloneHotfix20200121 for increased security.

  • Moved the security check if a url is in the portal to a small separate package: Products.isurlinportal.
    You can immediately use this on Plone 4.3 and higher.
    Keep an eye on updates for this package: newer versions will increase the security.
    Often the impact of fixes is too small to warrant a real security hotfix package,
    but we want to do more regular fixes here.

  • Use Products.isurlinportal 1.1.0 with security hardening against whitespace:
    https://github.com/plone/Products.isurlinportal/issues/1

  • Removed broken X-XSS-Protection header from classic theme and unstyled theme.

  • Products.PluggableAuthService:
    Added new events to be able to notify when a principal is added to or removed from a group.
    Notify these events when principals are added or removed to a group in ZODBGroupManager.
    See https://github.com/zopefoundation/Products.PluggableAuthService/issues/17

  • z3c.autoinclude:
    When environment variable Z3C_AUTOINCLUDE_DEBUG is set,
    log which packages are being automatically included.

4

The content is at https://dist.plone.org/release/4.3.19-pending, should be https://dist.plone.org/release/4.3.20-pending instead

5

Oops, that is a pretty silly error...
Fixed now, thanks.

Except that the 4.3.20-pending url now shows a cached error...
Adding a query parameter helps:
https://dist.plone.org/release/4.3.20-pending/versions.cfg?x=1

Does anyone know how to purge this? It is somewhere on cloudflare I think.

6

@mauritsvanrees it is possible pinn coverage to the latest version?

Or better yet, unpinn version with:

coverage =

It is necessary convert data generated by the old versions of coverage:

And this doesn't always work.

7

@mauritsvanrees sorry. I just saw that bobtemplate doesn't use createcoverage anymore. Anyway, it would not be a bad idea to update coverage.

8

Just testet 4.3.20-pending on a large project of us. No problems found so far!

9

Same here, it worked fine.

10

I am going to keep it at the current version. Any add-ons that use this in their Travis setup will likely have worked around possible version conflicts or other problems already. If needed, we could add pins in GitHub - collective/buildout.plonetest: Testing/development buildouts for Plone.

11

I have made the release final:
https://dist.plone.org/release/4.3.20/versions.cfg
Enjoy!

Note that the release is not official yet until the installers are ready. But you are encouraged to use this in production now. (Also: please seriously consider upgrading to Plone 5.2.)

2 Likes
12

Niiice!

Please ping me, or add a note to https://github.com/plone/plone.docker/issues/139 when the UnifiedInstaller zip is available at https://launchpad.net/plone/4.3/4.3.20 in order to release also the Docker Image (hope we'll still be able to do that, as Docker started to discard all Python 2 builds for official images).

1 Like
13

Hello Any installer for 4.3.20 ready ? Thank you