Plone 5.2.3 has been soft-released. Please give it a try and let me know if there are any critical issues. https://dist.plone.org/release/5.2.3-pending/versions.cfg

For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production.

I have not yet uploaded the packages to dist.plone.org, but they are not really needed. The main 'meta' files are there.

See also the release checklist on GitHub.

Detailed changelog compared to 5.2.2:

plone.recipe.zope2instance: 6.7.5 → 6.8.1

New features:

• Added option clear-untrusted-proxy-headers, with default false.
  See waitress documentation on clear_untrusted_proxy_headers <https://waitress.readthedocs.io/en/latest/arguments.html?highlight=clear_untrusted_proxy_headers>.
  Fixes a deprecation warning <https://github.com/plone/plone.recipe.zope2instance/issues/142>.
  [maurits] (#142)

• Added option max-request-body-size, with default 1073741824.
  See waitress documentation on max_request_body_size <https://waitress.readthedocs.io/en/latest/arguments.html?highlight=max_request_body_size>_.
  [mpeeters] (#155)

Bug fixes:

• Properly disable access-log for WSGI.
  [tschorr] (#159)

• Add GitHub Actions to project.
  Run tests there in a matrix against Zope 4 and Zope 5, Windows and Linux, Python 27, 3.6, 3.7 and 3.8.
  Testing Python 2.7 on Windows is skipped.
  Refactor tox test setup slightly, do not use tox on GitHub.
  Split up tests in smaller easier to maintain files.
  Fix tests to run on Windows without tocuhing the recipe code (the Windows code is not perfect right now, but it test are reflecting current state).
  This primary includes respecting path-handling (backslash vs slash), conditional instance generation and differences in wsgi configurations.
  Also resolves "unclosed files" warnings.
  Reflect Zope 5 and so Plone 6.0 support in trove classifiers.
  [jensens] (#150)

zest.releaser: 6.21.1 → 6.22.1

plone.app.robotframework: 1.5.4 → 1.5.6

New features:

• Removed backwards compatibility code for old quickinstaller.
  Current plone.app.robotframework is only for Plone 5.2+, so this code was no longer used.
  See also PLIP 1775 <https://github.com/plone/Products.CMFPlone/issues/1775>_.
  [maurits] (#1775)

Bug fixes:

• Fixed error Variable '${CMFPLONE_SELECTORS}' not found on Plone 6.
  [maurits] (#680)

• Fixed DeprecationWarning: invalid escape sequence.
  [maurits] (#3130)

zope.interface: 5.0.2 → 5.1.2

• Make sure to call each invariant only once when validating invariants.
  Previously, invariants could be called multiple times because when an
  invariant is defined in an interface, it's found by in all interfaces
  inheriting from that interface. See pull request 215 <https://github.com/zopefoundation/zope.interface/pull/215/>_.

• Fix the method definitions of IAdapterRegistry.subscribe,
  subscriptions and subscribers. Previously, they all were
  defined to accept a name keyword argument, but subscribers have
  no names and the implementation of that interface did not accept
  that argument. See issue 208 <https://github.com/zopefoundation/zope.interface/issues/208>_.

• Fix a potential reference leak in the C optimizations. Previously,
  applications that dynamically created unique Specification
  objects (e.g., used @implementer on dynamic classes) could
  notice a growth of small objects over time leading to increased
  garbage collection times. See issue 216 <https://github.com/zopefoundation/zope.interface/issues/216>_.

  .. caution::

  This leak could prevent interfaces used as the bases of
  other interfaces from being garbage collected. Those interfaces
  will now be collected.

  One way in which this would manifest was that weakref.ref
  objects (and things built upon them, like
  Weak[Key|Value]Dictionary) would continue to have access to
  the original object even if there were no other visible
  references to Python and the original object should have been
  collected. This could be especially problematic for the
  WeakKeyDictionary when combined with dynamic or local
  (created in the scope of a function) interfaces, since interfaces
  are hashed based just on their name and module name. See the
  linked issue for an example of a resulting KeyError.

  Note that such potential errors are not new, they are just once
  again a possibility.

• Make @implementer(*iface) and classImplements(cls, *iface)
  ignore redundant interfaces. If the class already implements an
  interface through inheritance, it is no longer redeclared
  specifically for cls. This solves many instances of inconsistent
  resolution orders, while still allowing the interface to be declared
  for readability and maintenance purposes. See issue 199 <https://github.com/zopefoundation/zope.interface/issues/199>_.

• Remove all bare except: statements. Previously, when accessing
  special attributes such as __provides__, __providedBy__,
  __class__ and __conform__, this package wrapped such access
  in a bare except: statement, meaning that many errors could pass
  silently; typically this would result in a fallback path being taken
  and sometimes (like with providedBy()) the result would be
  non-sensical. This is especially true when those attributes are
  implemented with descriptors. Now, only AttributeError is
  caught. This makes errors more obvious.

  Obviously, this means that some exceptions will be propagated
  differently than before. In particular, RuntimeError raised by
  Acquisition in the case of circular containment will now be
  propagated. Previously, when adapting such a broken object, a
  TypeError would be the common result, but now it will be a more
  informative RuntimeError.

  In addition, ZODB errors like POSKeyError could now be
  propagated where previously they would ignored by this package.

  See issue 200 <https://github.com/zopefoundation/zope.interface/issues/200>_.

• Require that the second argument (bases) to InterfaceClass is
  a tuple. This only matters when directly using InterfaceClass to
  create new interfaces dynamically. Previously, an individual
  interface was allowed, but did not work correctly. Now it is
  consistent with type and requires a tuple.

• Let interfaces define custom __adapt__ methods. This implements
  the other side of the :pep:246 adaptation protocol: objects being
  adapted could already implement __conform__ if they know about
  the interface, and now interfaces can implement __adapt__ if
  they know about particular objects. There is no performance penalty
  for interfaces that do not supply custom __adapt__ methods.

  This includes the ability to add new methods, or override existing
  interface methods using the new @interfacemethod decorator.

  See issue 3 <https://github.com/zopefoundation/zope.interface/issues/3>_.

• Make the internal singleton object returned by APIs like
  implementedBy and directlyProvidedBy for objects that
  implement or provide no interfaces more immutable. Previously an
  internal cache could be mutated. See issue 204 <https://github.com/zopefoundation/zope.interface/issues/204>_.

Products.MailHost: 4.9 → 4.10

• We depend on zope.sendmail >= 5.1.

• Support messages with explicit Content-Transfer-Encoding: 8bit
  (#30 <https://github.com/zopefoundation/Products.MailHost/issues/30>_).

calmjs.parse: 1.2.4 → 1.2.5

icalendar: 4.0.6 → 4.0.7

Bug fixes:

• fixed rrule handling, re-enabled test_create_america_new_york()

mockup: 3.2.2 → 3.2.3

Bug fixes:

• Fix building of the docs bundle.
  [thet] (#980)

• Fix external description text in tinymce link popup
  [parruc] (#1010)

• Bump bl from 4.0.2 to 4.0.3 [dependabot, jensens] (#1014)

• Bumps lodash from 4.17.15 to 4.17.20. [dependabot, jensens] (#1015)

• Fix plone toolbar action links being updated only on the first navigation action in the folder_contents structure pattern. [fredvd] (#3191)

Plone: 5.2.2 → 5.2.3

Bug fixes:

• Release Plone 5.2.3 final
  [maurits]

plone.api: 1.10.2 → 1.10.4

Bug fixes:

• Fixed test failures on Python 3 with Products.MailHost 4.10.
  [maurits] (#3178)

• Fixed deprecation warning for CMFPlone.interfaces.ILanguageSchema.
  [maurits] (#3130)

plone.app.caching: 2.0.6 → 2.0.8

Bug fixes:

• Do not assume request or request.URL is a string. It might be None. [jensens, iham] (#59)

• Remove hopelessly outdated proxy config examples.
  Look at plone.recipe.varnish for excellent examples!
  [jensens] (#64)

• Fixed invalid escape sequences.
  [maurits] (#3130)

plone.app.content: 3.8.6 → 3.8.7

Bug fixes:

• Fixed deprecation warning for IFieldPermissionChecker.
  [maurits] (#3130)

plone.app.contentlisting: 2.0.2 → 2.0.3

Bug fixes:

• Fixed deprecation warning for LazyCat/LazyMap.
  [maurits] (#3130)

plone.app.contentrules: 4.1.4 → 4.1.5

Bug fixes:

• Fixed deprecation warning for ComponentLookupError.
  Fixed deprecation warning for zope.site.hooks.
  Fixed deprecation warning for IObjectEvent from zope.component.
  [maurits] (#3130)

• Fixed test failures on Python 3 with Products.MailHost 4.10.
  [maurits] (#3178)

plone.app.contenttypes: 2.1.10 → 2.2.1

New features:

• Allow passing a custom catalog-query to migrateCustomAT to constrain which objects to migrate. [pbauer] (#572)

Bug fixes:

• Update tests to fix updated schema cache.
  See https://github.com/plone/plone.dexterity/pull/137
  [@avoinea] (#573)

• Fix various deprecation warnings.
  [maurits] (#3130)

plone.app.dexterity: 2.6.5 → 2.6.7

Bug fixes:

• Update tests to fix updated schema cache.
  See https://github.com/plone/plone.dexterity/pull/137
  [@avoinea, maurits] (#313)

• Do not require nextPreviousEnabled (#312)

plone.app.discussion: 3.4.2 → 3.4.3

Bug fixes:

• Fix tests with Products.MailHost 4.10.
  [maurits] (#3178)

plone.app.event: 3.2.7 → 3.2.9

Bug fixes:

• Replaced deprecated plone.testing.z2 imports with plone.testing.zope, where possible.
  [maurits] (#3130)

• Fixed deprecation warning for setDefaultRoles.
  [maurits] (#3130)

plone.app.folder: 1.3.1 → 1.3.2

Bug fixes:

• Removed ancient migration code for upgrading BTree folder from Plone 3 to 4.
  The code, or at least the tests, are incompatible with the latest zope.interface.
  Current plone.app.folder is only for Plone 5.2, so the code is not needed.
  [maurits] (#24)

plone.app.iterate: 3.3.14 → 3.3.15

Bug fixes:

• Remove relationship between baseline and working copy, when wc is removed.
  [frapell] (#77)

• Fixed deprecation warning for ObjectEvent and IObjectEvent.
  Moved all code from profiles.py to setuphandlers.py to avoid confusion with profiles directory.
  [maurits] (#3130)

plone.app.layout: 3.4.4 → 3.4.6

Bug fixes:

• Fixed various deprecation warnings.
  [maurits] (#3130)

• Made the error page recognisable again in the body classes.
  Instead of template-index-html you now get template-error_message-pt.
  Compatibility note: in Plone 5.1 and earlier, this was template-default_error_message.
  [maurits] (#242)

plone.app.linkintegrity: 3.3.13 → 3.3.14

Bug fixes:

• Fixed deprecation warning for ComponentLookupError.
  [maurits] (#3130)

plone.app.locales: 5.1.24 → 5.1.26

• Update Italian translations
  [lelit]

• Minor fix in German translation.
  [jensens]

plone.app.multilingual: 5.6.1 → 5.6.2

Bug fixes:

• Fixed deprecation warning for ComponentLookupError.
  Fixed deprecation warning for ILanguageSchema, depend on plone.i18n 4.0.4.
  Fixed deprecation warning for IObjectEvent from zope.component.
  Fixed deprecation warning for zope.site.hooks.
  [maurits] (#3130)

plone.app.portlets: 4.4.5 → 4.4.6

Bug fixes:

• fixes index error in navigation portlet caused by unknown mimetypes without
  entry in mimetype registry
  https://github.com/plone/Products.CMFPlone/issues/2882) (cmfplone-2882)

• Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
  [maurits] (#3130)

plone.app.registry: 1.7.6 → 1.7.7

Bug fixes:

• Make interface list on configuration export page visible. [jensens] (#41)

plone.app.testing: 6.1.5 → 6.1.7

New features:

• Removed backwards compatibility code for old quickinstaller.
  Current plone.app.testing is only for Plone 5.2+, so this code was no longer used.
  See also PLIP 1775 <https://github.com/plone/Products.CMFPlone/issues/1775>_.
  [maurits] (#1775)

Bug fixes:

• Fixed test failure on Python 3 with Products.MailHost 4.10.
  [maurits] (#3178)

plone.app.textfield: 1.3.4 → 1.3.5

Bug fixes:

• Fixed deprecation warning for zope.component.interfaces.ComponentLookupError.
  [maurits] (#43)

plone.app.theming: 4.1.4 → 4.1.5

Bug fixes:

• Fixed WrongContainedType for hostnameBlackList on Zope 5.
  See also issue 183 <https://github.com/plone/plone.app.theming/issues/183>_.
  [maurits] (#183)

• Fixed deprecation warning for ConfigParser.readfp.
  [maurits] (#3130)

plone.app.upgrade: 2.0.34 → 2.0.36

Breaking changes:

• 6.0 alpha 1: remove the portal_quickinstaller tool.
  See PLIP 1775 <https://github.com/plone/Products.CMFPlone/issues/1775>_.
  [maurits] (#1775)

Bug fixes:

• Replaced import of plone.api, which should not be used by core.
  [maurits] (#241)

• Fixes a rare case in v52/betas while migration of relations: Missing attributes on cataloged relations are safely ignored.
  [jensens] (#244)

• Plone 5.1.7: Update resource registry last_compilation date.
  [maurits] (#1006)

• Catch deprecation warnings for webdav.LockItem.LockItem and CMFPlone.interfaces.ILanguageSchema.
  The first has been moved to OFS.LockItem, the second to plone.i18n.interfaces.
  In older upgrade code, we should still try the old import first.
  Fixed deprecation warning for zope.site.hooks.
  Fixed invalid escape sequence.
  [maurits] (#3130)

• Migrate the plone.site_logo field from ASCII (native string) to Bytes.
  Otherwise saving the site-controlpanel can fail with a WrongType error
  Fixes issue 3172 <https://github.com/plone/Products.CMFPlone/issues/3172>_.
  [maurits] (#3172)

plone.app.vocabularies: 4.2.0 → 4.2.1

Bug fixes:

• Fixed deprecation warning for zope.site.hooks. (#3130)

plone.app.widgets: 3.0.4 → 3.0.5

Bug fixes:

• Robot tests: Fix deprecated jQuery.size.
  [thet] (#207)

plone.app.workflow: 4.0.2 → 4.0.3

Bug fixes:

• Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
  Fixed deprecation warning for zope.site.hooks.
  [maurits] (#3130)

plone.app.z3cform: 3.2.1 → 3.2.2

Bug fixes:

• Fixed repeat syntax in multi input to also work in Zope 4.5.
  [maurits] (#116)

plone.behavior: 1.3.2 → 1.4.0

New features:

• Drop Plone 4.3 support.
  [maurits] (#3130)

Bug fixes:

• Fixed deprecation warning for ComponentLookupError.
  [maurits] (#3130)

plone.browserlayer: 2.2.3 → 2.2.4

Bug fixes:

• Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
  [maurits] (#3130)

plone.contentrules: 2.0.10 → 2.1.0

New features:

• Fixed deprecation warning for IObjectEvent/ObjectEvent from zope.component.
  Drops compatibility with Plone 5.0 and earlier.
  [maurits] (#3130)

plone.dexterity: 2.9.7 → 2.10.0

New features:

• Make sure that Dynamic schema is updated on all ZEO clients on change
  [@avoinea] (#136)

Bug fixes:

• Fixes test to work clean with zope.interface.
  Interfaces are hashed based on just their name and module.
  So every one of these local IBlank interfaces will hash the same way, and be treated the same for purposes of zope.interface's _dependents.
  Thus in tests mock interfaces must not be used under the same name in the same module.
  [jensens] (#135)

• Use mock from unittest on Python 3 [ale-rt]
  DefaultReadFile properly implements the IStreamIterator interface [ale-rt] (#138)

• Restore webdav support when the webdav library is importable [ale-rt] (#141)

• Fixed missing ISiteRoot utility when running tests with Zope 5.
  [maurits] (#680)

• Removed call of listing macro in content-core view for containers.
  It was broken. We now show the same as for items: only the fields.
  Fixes issue 3177 <https://github.com/plone/Products.CMFPlone/issues/3177>_.
  [maurits] (#3177)

plone.keyring: 3.1.2 → 3.1.3

Bug fixes:

• Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
  [maurits] (#3130)

plone.outputfilters: 4.0.1 → 4.0.2

Bug fixes:

• fix AttributeError: 'NoneType' object has no attribute 'unwrap' exception when a fullsize image is wrapped in an tag. [flipmcf] (#39)

• Fixed deprecation warning for html_quote.
  [maurits] (#3130)

• Update tests to fix updated schema cache.
  See https://github.com/plone/plone.dexterity/pull/137
  [@avoinea] (#30)

z3c.jbot: 0.8 → 1.1.0

plone.app.tiles: 3.1.3 → 3.2.0

plone.tiles: 2.2.2 → 2.3.0

New features:

• Drop Plone 4.3 support.
  [maurits] (#3130)

Bug fixes:

• Fixed deprecation warning for ComponentLookupError.
  [maurits] (#3130)

Products.Archetypes: 1.16.2 → 1.16.3

Bug fixes:

• Lifted the ceiling for the maximum date from end of 2020 to 2051.
  See issue 133 <https://github.com/plone/Products.Archetypes/issues/133>_. (#133)

Products.ATContentTypes: 3.0.3 → 3.0.4

Bug fixes:

• Drop use of test() in templates [pbauer] (#24)

I updated https://github.com/starzel/buildout to support 5.2.3 pending and updated 2 medium sized projects. I only encountered a issue with PrintingMailhost that I hopefully fiixed with https://github.com/collective/Products.PrintingMailHost/pull/9

A new release of Products.PrintingMailHost that and a updated version-pinn in https://dist.plone.org/release/5.2.3-pending/versions.cfg would be great.

What are the official support Python 3 versions? Is Python 3.9 officially supported?

Plone 5.2 does not support Python 3.9. Plone 6 should. At the moment tests are not running for Python 3.9 - but we're in the middle of development for Plone 6, so patience (or help) is needed.

I have released Products.PrintingMailHost 1.1.5 with your fix. Thanks!
I have updated the versions cfg on 5.2.3-pending, but the previous version is still cached for a while, as usual.
Meanwhile I have also uploaded the package files.
And I have compiled some high level release notes:

Release Notes Plone 5.2.3

Some highlights of this release are:

• zope.interface:
  Fixed potential memory leak, see https://github.com/zopefoundation/zope.interface/issues/216.
  Fixed inconsistent resolution orders, see https://github.com/zopefoundation/zope.interface/issues/199.

• plone.recipe.zope2instance: added options clear-untrusted-proxy-headers and max-request-body-size.

• Products.MailHost: support messages with explicit Content-Transfer-Encoding 8bit, see https://github.com/zopefoundation/Products.MailHost/issues/30.

• mockup: fix plone toolbar action links being updated only on the first navigation action in the folder_contents structure pattern.

• plone.staticresources: updated Bootstrap Icons to 1.0.0 final.

• plone.app.contenttypes: allow passing a custom catalog-query to migrateCustomAT to constrain which objects to migrate.

• plone.dexterity: make sure that Dynamic schema is updated on all ZEO clients on change.

• z3c.form/plone.app.z3cform: fixed compatibility with changed repeat syntax in Zope 4.4, see https://github.com/zopefoundation/z3c.form/issues/94.

• Products.ATContentTypes: drop use of test() in templates, unsupported since Zope 4.4.

• Lots of deprecation warnings fixed, especially during startup.

Beside some tests that needed to be updated after the changes in Products.MailHost I did not spot any issue.
Looks like a pretty good improvement.
Note: I was already using the most recent zope.interface, plone.dexterity and plone.app.z3cform packages with Plone 5.2.2.

Also I have this one pending https://github.com/plone/plone.app.testing/pull/73 but I do not really consider it as a blocker.

When you use backend.xml in your theme, upgrading to the current 5.2.3-pending could break the folder_content navigation syncing the links in the toolbar completely.

This is because of a mismatch between the Diazo rules in the normal rules.xml and the backend.xml rules. So if you use plonethene.barceloneta its backend.xml woth your own theme, take a look at https://github.com/plone/Products.CMFPlone/issues/3191

There was a long wait for stable mockup and plone.staticresources releases, but those are in. I have done an update on dist.plone.org with new releases for build, pep517, mockup, plone.app.testing, plone.staticresources, plonetheme.barceloneta.

I am hoping for a Zope release and a plone.app.locales release.

plone.app.locales and Zope have releases.

But Zope 4.5.2 has a small fix for encodings in HTTP headers, which causes problems on Python 2 (and less likely on Python 3). I at first noticed this in tests for plone.restapi, and likely not just the tests. Later I noticed this even broke simply viewing the homepage on Py 2... Meanwhile fixed in Zope, now hoping for another release.

And while we were waiting, some vulnerabilities were found in the way Plone is using lxml, and in one case urllib. An attacker can't really use this, unless he already has the Manager or Site Administrator role, so it is not too worrying (but someone should check my easyform fix). But we have PRs ready for the affected packages, so when the tests are green, we can merge and make a few more releases, and I can include those.

We have a new Zope 4.5.3 release, plus packages with security fixes.
I have updated https://dist.plone.org/release/5.2.3-pending/versions.cfg (but you may get an older version from the cache).
I have good hopes that this will be the last update before making the release final.

Can anyone do a last test?

I tested it in 2 projects and found no problems.

It works fine for me as well

Works fine - except for the issue with Plone scripts not being loaded

...same issue with latest barceloneta release.

It's a wrap. I have released Plone 5.2.3 final:

https://dist.plone.org/release/5.2.3/versions.cfg

Traditionally, the release is not really official until we have a Unified Installer. But it is proving difficult to create one, so we may want to change this tradition. The 5.2.3 versions file is considered the latest and greatest, and safe for production use, whether there is an installer or not.

Thanks! https://demo.plone.org and https://github.com/starzel/buildout are updated to use 5.2.3