Plone 5.2.3 soft released

Plone 5.2.3 has been soft-released. Please give it a try and let me know if there are any critical issues.

For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production.

I have not yet uploaded the packages to, but they are not really needed. The main 'meta' files are there.

See also the release checklist on GitHub.

Detailed changelog compared to 5.2.2:

plone.recipe.zope2instance: 6.7.5 → 6.8.1

New features:

  • Added option clear-untrusted-proxy-headers, with default false.
    See waitress documentation on clear_untrusted_proxy_headers <>.
    Fixes a deprecation warning <>
    [maurits] (#142)

  • Added option max-request-body-size, with default 1073741824.
    See waitress documentation on max_request_body_size <>_.
    [mpeeters] (#155)

Bug fixes:

  • Properly disable access-log for WSGI.
    [tschorr] (#159)

  • Add GitHub Actions to project.
    Run tests there in a matrix against Zope 4 and Zope 5, Windows and Linux, Python 27, 3.6, 3.7 and 3.8.
    Testing Python 2.7 on Windows is skipped.
    Refactor tox test setup slightly, do not use tox on GitHub.
    Split up tests in smaller easier to maintain files.
    Fix tests to run on Windows without tocuhing the recipe code (the Windows code is not perfect right now, but it test are reflecting current state).
    This primary includes respecting path-handling (backslash vs slash), conditional instance generation and differences in wsgi configurations.
    Also resolves "unclosed files" warnings.
    Reflect Zope 5 and so Plone 6.0 support in trove classifiers.
    [jensens] (#150)

zest.releaser: 6.21.1 → 6.22.1 1.5.4 → 1.5.6

New features:

  • Removed backwards compatibility code for old quickinstaller.
    Current is only for Plone 5.2+, so this code was no longer used.
    See also PLIP 1775 <>_.
    [maurits] (#1775)

Bug fixes:

  • Fixed error Variable '${CMFPLONE_SELECTORS}' not found on Plone 6.
    [maurits] (#680)

  • Fixed DeprecationWarning: invalid escape sequence.
    [maurits] (#3130)

zope.interface: 5.0.2 → 5.1.2

  • Make sure to call each invariant only once when validating invariants.
    Previously, invariants could be called multiple times because when an
    invariant is defined in an interface, it's found by in all interfaces
    inheriting from that interface. See pull request 215 <>_.

  • Fix the method definitions of IAdapterRegistry.subscribe,
    subscriptions and subscribers. Previously, they all were
    defined to accept a name keyword argument, but subscribers have
    no names and the implementation of that interface did not accept
    that argument. See issue 208 <>_.

  • Fix a potential reference leak in the C optimizations. Previously,
    applications that dynamically created unique Specification
    objects (e.g., used @implementer on dynamic classes) could
    notice a growth of small objects over time leading to increased
    garbage collection times. See issue 216 <>_.

    .. caution::

    This leak could prevent interfaces used as the bases of
    other interfaces from being garbage collected. Those interfaces
    will now be collected.

    One way in which this would manifest was that weakref.ref
    objects (and things built upon them, like
    Weak[Key|Value]Dictionary) would continue to have access to
    the original object even if there were no other visible
    references to Python and the original object should have been
    collected. This could be especially problematic for the
    WeakKeyDictionary when combined with dynamic or local
    (created in the scope of a function) interfaces, since interfaces
    are hashed based just on their name and module name. See the
    linked issue for an example of a resulting KeyError.

    Note that such potential errors are not new, they are just once
    again a possibility.

  • Make @implementer(*iface) and classImplements(cls, *iface)
    ignore redundant interfaces. If the class already implements an
    interface through inheritance, it is no longer redeclared
    specifically for cls. This solves many instances of inconsistent
    resolution orders, while still allowing the interface to be declared
    for readability and maintenance purposes. See issue 199 <>_.

  • Remove all bare except: statements. Previously, when accessing
    special attributes such as __provides__, __providedBy__,
    __class__ and __conform__, this package wrapped such access
    in a bare except: statement, meaning that many errors could pass
    silently; typically this would result in a fallback path being taken
    and sometimes (like with providedBy()) the result would be
    non-sensical. This is especially true when those attributes are
    implemented with descriptors. Now, only AttributeError is
    caught. This makes errors more obvious.

    Obviously, this means that some exceptions will be propagated
    differently than before. In particular, RuntimeError raised by
    Acquisition in the case of circular containment will now be
    propagated. Previously, when adapting such a broken object, a
    TypeError would be the common result, but now it will be a more
    informative RuntimeError.

    In addition, ZODB errors like POSKeyError could now be
    propagated where previously they would ignored by this package.

    See issue 200 <>_.

  • Require that the second argument (bases) to InterfaceClass is
    a tuple. This only matters when directly using InterfaceClass to
    create new interfaces dynamically. Previously, an individual
    interface was allowed, but did not work correctly. Now it is
    consistent with type and requires a tuple.

  • Let interfaces define custom __adapt__ methods. This implements
    the other side of the :pep:246 adaptation protocol: objects being
    adapted could already implement __conform__ if they know about
    the interface, and now interfaces can implement __adapt__ if
    they know about particular objects. There is no performance penalty
    for interfaces that do not supply custom __adapt__ methods.

    This includes the ability to add new methods, or override existing
    interface methods using the new @interfacemethod decorator.

    See issue 3 <>_.

  • Make the internal singleton object returned by APIs like
    implementedBy and directlyProvidedBy for objects that
    implement or provide no interfaces more immutable. Previously an
    internal cache could be mutated. See issue 204 <>_.

Products.MailHost: 4.9 → 4.10

  • We depend on zope.sendmail >= 5.1.

  • Support messages with explicit Content-Transfer-Encoding: 8bit
    (#30 <>_).

calmjs.parse: 1.2.4 → 1.2.5

icalendar: 4.0.6 → 4.0.7

Bug fixes:

  • fixed rrule handling, re-enabled test_create_america_new_york()

mockup: 3.2.2 → 3.2.3

Bug fixes:

  • Fix building of the docs bundle.
    [thet] (#980)

  • Fix external description text in tinymce link popup
    [parruc] (#1010)

  • Bump bl from 4.0.2 to 4.0.3 [dependabot, jensens] (#1014)

  • Bumps lodash from 4.17.15 to 4.17.20. [dependabot, jensens] (#1015)

  • Fix plone toolbar action links being updated only on the first navigation action in the folder_contents structure pattern. [fredvd] (#3191)

Plone: 5.2.2 → 5.2.3

Bug fixes:

  • Release Plone 5.2.3 final

plone.api: 1.10.2 → 1.10.4

Bug fixes:

  • Fixed test failures on Python 3 with Products.MailHost 4.10.
    [maurits] (#3178)

  • Fixed deprecation warning for CMFPlone.interfaces.ILanguageSchema.
    [maurits] (#3130) 2.0.6 → 2.0.8

Bug fixes:

  • Do not assume request or request.URL is a string. It might be None. [jensens, iham] (#59)

  • Remove hopelessly outdated proxy config examples.
    Look at plone.recipe.varnish for excellent examples!
    [jensens] (#64)

  • Fixed invalid escape sequences.
    [maurits] (#3130) 3.8.6 → 3.8.7

Bug fixes:

  • Fixed deprecation warning for IFieldPermissionChecker.
    [maurits] (#3130) 2.0.2 → 2.0.3

Bug fixes:

  • Fixed deprecation warning for LazyCat/LazyMap.
    [maurits] (#3130) 4.1.4 → 4.1.5

Bug fixes:

  • Fixed deprecation warning for ComponentLookupError.
    Fixed deprecation warning for
    Fixed deprecation warning for IObjectEvent from zope.component.
    [maurits] (#3130)

  • Fixed test failures on Python 3 with Products.MailHost 4.10.
    [maurits] (#3178) 2.1.10 → 2.2.1

New features:

  • Allow passing a custom catalog-query to migrateCustomAT to constrain which objects to migrate. [pbauer] (#572)

Bug fixes: 2.6.5 → 2.6.7

Bug fixes: 3.4.2 → 3.4.3

Bug fixes:

  • Fix tests with Products.MailHost 4.10.
    [maurits] (#3178) 3.2.7 → 3.2.9

Bug fixes:

  • Replaced deprecated plone.testing.z2 imports with plone.testing.zope, where possible.
    [maurits] (#3130)

  • Fixed deprecation warning for setDefaultRoles.
    [maurits] (#3130) 1.3.1 → 1.3.2

Bug fixes:

  • Removed ancient migration code for upgrading BTree folder from Plone 3 to 4.
    The code, or at least the tests, are incompatible with the latest zope.interface.
    Current is only for Plone 5.2, so the code is not needed.
    [maurits] (#24) 3.3.14 → 3.3.15

Bug fixes:

  • Remove relationship between baseline and working copy, when wc is removed.
    [frapell] (#77)

  • Fixed deprecation warning for ObjectEvent and IObjectEvent.
    Moved all code from to to avoid confusion with profiles directory.
    [maurits] (#3130) 3.4.4 → 3.4.6

Bug fixes:

  • Fixed various deprecation warnings.
    [maurits] (#3130)

  • Made the error page recognisable again in the body classes.
    Instead of template-index-html you now get template-error_message-pt.
    Compatibility note: in Plone 5.1 and earlier, this was template-default_error_message.
    [maurits] (#242) 3.3.13 → 3.3.14

Bug fixes:

  • Fixed deprecation warning for ComponentLookupError.
    [maurits] (#3130) 5.1.24 → 5.1.26

  • Update Italian translations

  • Minor fix in German translation.
    [jensens] 5.6.1 → 5.6.2

Bug fixes:

  • Fixed deprecation warning for ComponentLookupError.
    Fixed deprecation warning for ILanguageSchema, depend on plone.i18n 4.0.4.
    Fixed deprecation warning for IObjectEvent from zope.component.
    Fixed deprecation warning for
    [maurits] (#3130) 4.4.5 → 4.4.6

Bug fixes:

  • fixes index error in navigation portlet caused by unknown mimetypes without
    entry in mimetype registry (cmfplone-2882)

  • Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
    [maurits] (#3130) 1.7.6 → 1.7.7

Bug fixes:

  • Make interface list on configuration export page visible. [jensens] (#41) 6.1.5 → 6.1.7

New features:

  • Removed backwards compatibility code for old quickinstaller.
    Current is only for Plone 5.2+, so this code was no longer used.
    See also PLIP 1775 <>_.
    [maurits] (#1775)

Bug fixes:

  • Fixed test failure on Python 3 with Products.MailHost 4.10.
    [maurits] (#3178) 1.3.4 → 1.3.5

Bug fixes:

  • Fixed deprecation warning for zope.component.interfaces.ComponentLookupError.
    [maurits] (#43) 4.1.4 → 4.1.5

Bug fixes:

  • Fixed WrongContainedType for hostnameBlackList on Zope 5.
    See also issue 183 <>_.
    [maurits] (#183)

  • Fixed deprecation warning for ConfigParser.readfp.
    [maurits] (#3130) 2.0.34 → 2.0.36

Breaking changes:

  • 6.0 alpha 1: remove the portal_quickinstaller tool.
    See PLIP 1775 <>_.
    [maurits] (#1775)

Bug fixes:

  • Replaced import of plone.api, which should not be used by core.
    [maurits] (#241)

  • Fixes a rare case in v52/betas while migration of relations: Missing attributes on cataloged relations are safely ignored.
    [jensens] (#244)

  • Plone 5.1.7: Update resource registry last_compilation date.
    [maurits] (#1006)

  • Catch deprecation warnings for webdav.LockItem.LockItem and CMFPlone.interfaces.ILanguageSchema.
    The first has been moved to OFS.LockItem, the second to plone.i18n.interfaces.
    In older upgrade code, we should still try the old import first.
    Fixed deprecation warning for
    Fixed invalid escape sequence.
    [maurits] (#3130)

  • Migrate the plone.site_logo field from ASCII (native string) to Bytes.
    Otherwise saving the site-controlpanel can fail with a WrongType error
    Fixes issue 3172 <>_.
    [maurits] (#3172) 4.2.0 → 4.2.1

Bug fixes:

  • Fixed deprecation warning for (#3130) 3.0.4 → 3.0.5

Bug fixes:

  • Robot tests: Fix deprecated jQuery.size.
    [thet] (#207) 4.0.2 → 4.0.3

Bug fixes:

  • Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
    Fixed deprecation warning for
    [maurits] (#3130) 3.2.1 → 3.2.2

Bug fixes:

  • Fixed repeat syntax in multi input to also work in Zope 4.5.
    [maurits] (#116)

plone.behavior: 1.3.2 → 1.4.0

New features:

  • Drop Plone 4.3 support.
    [maurits] (#3130)

Bug fixes:

  • Fixed deprecation warning for ComponentLookupError.
    [maurits] (#3130)

plone.browserlayer: 2.2.3 → 2.2.4

Bug fixes:

  • Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
    [maurits] (#3130)

plone.contentrules: 2.0.10 → 2.1.0

New features:

  • Fixed deprecation warning for IObjectEvent/ObjectEvent from zope.component.
    Drops compatibility with Plone 5.0 and earlier.
    [maurits] (#3130)

plone.dexterity: 2.9.7 → 2.10.0

New features:

  • Make sure that Dynamic schema is updated on all ZEO clients on change
    [@avoinea] (#136)

Bug fixes:

  • Fixes test to work clean with zope.interface.
    Interfaces are hashed based on just their name and module.
    So every one of these local IBlank interfaces will hash the same way, and be treated the same for purposes of zope.interface's _dependents.
    Thus in tests mock interfaces must not be used under the same name in the same module.
    [jensens] (#135)

  • Use mock from unittest on Python 3 [ale-rt]
    DefaultReadFile properly implements the IStreamIterator interface [ale-rt] (#138)

  • Restore webdav support when the webdav library is importable [ale-rt] (#141)

  • Fixed missing ISiteRoot utility when running tests with Zope 5.
    [maurits] (#680)

  • Removed call of listing macro in content-core view for containers.
    It was broken. We now show the same as for items: only the fields.
    Fixes issue 3177 <>_.
    [maurits] (#3177)

plone.keyring: 3.1.2 → 3.1.3

Bug fixes:

  • Fixed deprecation warning for zope.component.interfaces.IComponentRegistry.
    [maurits] (#3130)

plone.outputfilters: 4.0.1 → 4.0.2

Bug fixes:

plone.portlet.collection: 3.3.3 → 3.3.5

Bug fixes:

  • Removed fallback import of is_default_page.
    Fixed various DeprecationWarnings.
    [maurits] (#3130)

  • Fixed deprecation warning for setDefaultRoles.
    [maurits] (#3130)

plone.portlet.static: 3.1.4 → 3.1.6

Bug fixes:

  • Removed Plone 4 compatibility code.
    [maurits] (#19)

  • Fixed invalid escape sequence.
    [maurits] (#3130)

  • Fixed startup warning for setDefaultRoles.
    [maurits] (#17)

plone.protect: 4.1.5 → 4.1.6

Bug fixes:

  • Fixed deprecation warning for webdav.Lockable.LockableItem.
    [maurits] (#3130)

plone.resource: 2.1.2 → 2.1.3

Bug fixes:

  • Fixed various warnings.
    [maurits] (#3130)

plone.restapi: 6.13.7 → 6.15.0

plone.resourceeditor: 3.0.2 → 3.0.3

Bug fixes:

  • Fixed invalid escape sequences.
    [maurits] (#3130)

plone.scale: 3.1.1 → 3.1.2

Bug fixes:

  • Resolve deprecation warning [gforcada] (#42)

plone.schemaeditor: 3.0.1 → 3.0.2

Bug fixes:

  • Fixed deprecation warning for ObjectEvent.
    [maurits] (#3130)

plone.staticresources: 1.3.2 → 1.4.0

New features:

  • Updated Bootstrap Icons to 1.0.0 final.
    [santonelli] (#3162)

Bug fixes:

  • Bumps bl from 4.0.2 to 4.0.3. [dependabot, jensens] (#97)

  • Build bundles with latest mockup 3.x.
    [maurits] (#1026)

  • Fixed deprecation warning for
    [maurits] (#3130)

plone.stringinterp: 1.3.2 → 1.3.3

Bug fixes:

  • Resolve deprecation warning [gforcada] (#14)

plone.subrequest: 1.9.2 → 1.9.3

Bug fixes:

  • Fixed deprecation warning for
    [maurits] (#24)

plone.testing: 8.0.1 → 8.0.2

Bug fixes:

  • update isort configuration for version 5 of isort (#75)

Products.CMFDiffTool: 3.3.1 → 3.3.2

Bug fixes:

  • Fixed invalid escape sequences.
    [maurits] (#3130)

Products.CMFFormController: 4.1.2 → 4.1.4

Bug fixes:

  • Tests: set request method to POST in a way that works on Plone 6 as well.
    [maurits] (#3057)

  • Removed security declaration for nonexistent method ZPythonScriptHTML_changePrefs.
    This method was removed from Products.PythonScripts in version 4.2, from October 2018.
    Added Products.PythonScripts>=4.2 as dependency.
    Fixed deprecation warning for module imp.
    Fixed invalid escape sequence.
    [maurits] (#3130)

Products.CMFPlacefulWorkflow: 2.0.2 → 2.0.3

Bug fixes:

  • Fix deprecation warning at startup for setDefaultRoles.
    [maurits] (#34)

Products.CMFPlone: 5.2.2 → 5.2.3rc1

Products.CMFUid: 3.0.2 → 3.1.0

  • Fixed deprecation warning for zope.component.interfaces.IObjectEvent.

  • Drop support for python test which is broken in Python 3.7+.

Products.ExtendedPathIndex: 4.0.0 → 4.0.1

Bug fixes:

  • unpin zc.buildout

  • pin versions to Zope 4 (otherwise Python 2.7 version cannot be built anymore)

  • update tox.ini to align with setup classifiers

  • add Products.ZCatalog to's install_requires, as it is no longer part of Zope core (#17)

Products.ExternalEditor: 3.0 → 3.0.1

Bug fixes:

  • Add support for recent Python 3 versions [ale-rt]

Products.GenericSetup: 2.0.2 → 2.0.3

  • When logging an upgrade, print the version tuple joined by dots.

  • Renamed xml dir to xml_templates.
    This avoids an import warning on Python 2.7.

Products.isurlinportal: 1.1.0 → 1.1.1

Bug fixes:

  • Add testing for Python 3.6 + 3.8; add Python 3.8 trove classifier.
    [tschorr] (#3)

Products.MimetypesRegistry: 2.1.7 → 2.1.8

Bug fixes:

  • Fixed invalid escape sequences.
    [maurits] (#3130)

Products.PluggableAuthService: 2.4.0 → 2.5

Products.PortalTransforms: 3.1.8 → 3.1.10

Bug fixes:

  • Fixed invalid escape sequences.
    [maurits] (#3130)

  • Fixed deprecation warning for DocumentTemplate.DT_Util.html_quote.
    [maurits] (#41)

Products.Sessions: 4.6 → 4.8

  • Don't break completely when no session data container is available
    (#35 <>_)

  • Make the product compatible with transaction version 3
    (#32 <>_)

z3c.form: 3.7.0 → 3.7.1

  • Fixed possible UnicodeDecodeError in on Python 3.6.
    Put the long description in setup.cfg, without replacing characters.

  • Drop Python 3.4 support. Add 3.7 and 3.8 support.

  • Fixed compatibility with changed repeat syntax.
    Fixes issue 94 <>_. 2.0.2 → 2.0.3

Bug fixes:

z3c.jbot: 0.8 → 1.1.0 3.1.3 → 3.2.0

plone.tiles: 2.2.2 → 2.3.0

New features:

  • Drop Plone 4.3 support.
    [maurits] (#3130)

Bug fixes:

  • Fixed deprecation warning for ComponentLookupError.
    [maurits] (#3130)

Products.Archetypes: 1.16.2 → 1.16.3

Bug fixes:

  • Lifted the ceiling for the maximum date from end of 2020 to 2051.
    See issue 133 <>_. (#133)

Products.ATContentTypes: 3.0.3 → 3.0.4

Bug fixes:

  • Drop use of test() in templates [pbauer] (#24)
1 Like

I updated to support 5.2.3 pending and updated 2 medium sized projects. I only encountered a issue with PrintingMailhost that I hopefully fiixed with

A new release of Products.PrintingMailHost that and a updated version-pinn in would be great.

What are the official support Python 3 versions? Is Python 3.9 officially supported?

Plone 5.2 does not support Python 3.9. Plone 6 should. At the moment tests are not running for Python 3.9 - but we're in the middle of development for Plone 6, so patience (or help) is needed.

1 Like

I have released Products.PrintingMailHost 1.1.5 with your fix. Thanks!
I have updated the versions cfg on 5.2.3-pending, but the previous version is still cached for a while, as usual.
Meanwhile I have also uploaded the package files.
And I have compiled some high level release notes:

Release Notes Plone 5.2.3

Some highlights of this release are:

  • zope.interface:
    Fixed potential memory leak, see
    Fixed inconsistent resolution orders, see

  • plone.recipe.zope2instance: added options clear-untrusted-proxy-headers and max-request-body-size.

  • Products.MailHost: support messages with explicit Content-Transfer-Encoding 8bit, see

  • mockup: fix plone toolbar action links being updated only on the first navigation action in the folder_contents structure pattern.

  • plone.staticresources: updated Bootstrap Icons to 1.0.0 final.

  • allow passing a custom catalog-query to migrateCustomAT to constrain which objects to migrate.

  • plone.dexterity: make sure that Dynamic schema is updated on all ZEO clients on change.

  • z3c.form/ fixed compatibility with changed repeat syntax in Zope 4.4, see

  • Products.ATContentTypes: drop use of test() in templates, unsupported since Zope 4.4.

  • Lots of deprecation warnings fixed, especially during startup.

Beside some tests that needed to be updated after the changes in Products.MailHost I did not spot any issue.
Looks like a pretty good improvement.
Note: I was already using the most recent zope.interface, plone.dexterity and packages with Plone 5.2.2.

Also I have this one pending but I do not really consider it as a blocker.

1 Like

When you use backend.xml in your theme, upgrading to the current 5.2.3-pending could break the folder_content navigation syncing the links in the toolbar completely.

This is because of a mismatch between the Diazo rules in the normal rules.xml and the backend.xml rules. So if you use plonethene.barceloneta its backend.xml woth your own theme, take a look at

There was a long wait for stable mockup and plone.staticresources releases, but those are in. I have done an update on with new releases for build, pep517, mockup,, plone.staticresources, plonetheme.barceloneta.

I am hoping for a Zope release and a release.

1 Like and Zope have releases.

But Zope 4.5.2 has a small fix for encodings in HTTP headers, which causes problems on Python 2 (and less likely on Python 3). I at first noticed this in tests for plone.restapi, and likely not just the tests. Later I noticed this even broke simply viewing the homepage on Py 2... Meanwhile fixed in Zope, now hoping for another release.

And while we were waiting, some vulnerabilities were found in the way Plone is using lxml, and in one case urllib. An attacker can't really use this, unless he already has the Manager or Site Administrator role, so it is not too worrying (but someone should check my easyform fix). But we have PRs ready for the affected packages, so when the tests are green, we can merge and make a few more releases, and I can include those.

1 Like

We have a new Zope 4.5.3 release, plus packages with security fixes.
I have updated (but you may get an older version from the cache).
I have good hopes that this will be the last update before making the release final.

Can anyone do a last test?

1 Like

I tested it in 2 projects and found no problems.

1 Like

It works fine for me as well :slight_smile:

Works fine - except for the issue with Plone scripts not being loaded

...same issue with latest barceloneta release.

It's a wrap. I have released Plone 5.2.3 final:

Traditionally, the release is not really official until we have a Unified Installer. But it is proving difficult to create one, so we may want to change this tradition. The 5.2.3 versions file is considered the latest and greatest, and safe for production use, whether there is an installer or not.


:clap: Thanks! and are updated to use 5.2.3