Plone 5.2.11 soft released

mauritsvanrees · January 26, 2023, 8:23pm

Plone 5.2.11 has been soft-released. Please give it a try and let me know if there are any critical issues.

For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production. The Products.CMFPlone version is 5.2.11rc1.

See also the release checklist on GitHub.

Release notes for Plone 5.2.11rc1

Released: Thursday January 26, 2023
Check the release schedule.
Read the upgrade guide, explaining the biggest changes compared to 5.1.
Canonical place for these release notes and the full packages changelog.

For technical wizards who want to jump straight in, here are two important links:

With pip you can use the constraints file at https://dist.plone.org/release/5.2-dev/constraints.txt
With Buildout you can use the versions file at https://dist.plone.org/release/5.2-dev/versions.cfg.

Highlights

Major changes since 5.2.10:

Zope:
- Set the published default Content-Type header to text/plain if none has been set explicitly to prevent a cross-site scripting attack. Also remove the old behavior of constructing an HTML page for published methods returning a two-item tuple. This fix was already included in Plone 5.2.10.1 and 5.2.10.2.
- Various other packages have fixes for this to avoid regressions.
plone.app.caching: Apply weak caching to GET requests of content with application/json, handled by plone.restapi. See plone.rest issue 73.
Products.CMFPlone: When autologin after password reset is enabled (this is the default), use the same adapters as during normal login. Specifically: the IInitialLogin and IRedirectAfterLogin adapters.

Python compatibility

This release supports Python 2.7, 3.7, and 3.8.
Python 3.6 support was dropped in Plone 5.2.10.
Note that both Python 2.7 and 3.6 have reached end of life, and Python 3.7 will reach end of life in June 2023.
Plone 5.2 supports Python 2.7, but it should only be used as a temporary stepping stone before you migrate your Plone site to Python 3.

Versions of pip, zc.buildout, setuptools

Plone 5.2 ships with a requirements.txt that pins pip, zc.buildout, setuptools, and wheel (plus a few more unpinned packages when you are on Windows). In the versions.cfg for Buildout we have the same versions.

We have been very conservative with these versions. The main reason is that we wanted to use the same versions for Python 2 and 3.

This is starting to harm the Python 3 side. See one personal "war" story on Mac where one package could be installed on Python 3.8.13, but not on 3.8.14 or higher. Using the latest versions of pip and Buildout and friends, all was well.

So starting with Plone 5.2.11, we pin different versions of these packages on Python 2 and 3.

You should know that you are free to use whatever versions you like for these tools. Use whatever versions work on your system, especially on Python 3.

Note that in a buildout.cfg you can "unpin" versions to tell Buildout to just use whatever has already been installed by pip:


[buildout]
newest = false

[versions]
pip =
setuptools =
wheel =
zc.buildout =

Installation

For installation instructions, see the documentation.

Issues

If you find any issues, please report them in the main issue tracker.