Plone 6.0.8 has been soft-released. Please give it a try and let me know if there are any critical issues.
For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production.

Release notes for Plone 6.0.8rc1

• Last updated: Friday October 27, 2023
• Check the release schedule.
• Read the upgrade guide, explaining the biggest changes compared to 5.2.
• Canonical place for these release notes and the full packages changelog.

If you want to jump straight in, here are two important links:

• With pip you can use the constraints file at https://dist.plone.org/release/6.0-dev/constraints.txt
• With Buildout you can use the versions file at https://dist.plone.org/release/6.0-dev/versions.cfg, plus optionally versions-extra.cfg and versions-ecosystem.cfg.

Highlights

Major changes since 6.0.7:

• plone.scale: Keep scaled WEBP images in WEBP format instead of converting to JPEG.
• plone.recipe.zope2instance: Add dos_protection config. See "Error when uploading large files" below.
• Zope:
  • Make sure the object title in the ZMI breadcrumbs is quoted to prevent a cross-site scripting issue.
  • Base the inline/attachment logic developed for CVE-2023-42458 on the media type proper (ignore parameters and whitespace and normalize to lowercase).
• plone.base: Move interface INameFromTitle from plone.app.content here.
  This helps avoiding a circular dependency between plone.app.dexterity and plone.app.content.
• plone.app.querystring: Add a way to specify a context for getting vocabularies in the QuerystringRegistryReader.
  See PR 137.

Error when uploading large files

With Zope 5.8.4+ (included in Plone 6.0.7) you may get zExceptions.BadRequest: data exceeds memory limit when uploading an image or file of more than 1 MB. This is at least true when you have plone.restapi installed, which is the case if you use the default frontend (Volto).
You have various ways to increase this limit.

If you use Buildout, you can add this in your instance/zeoclient recipe, and choose your own limit:

zope-conf-additional =
    <dos_protection>
      form-memory-limit 4MB
    </dos_protection>

If you used cookiecutter-zope-instance to create a Plone site, you can add these lines to etc/zope.conf, just like the latest development version offers:

<dos_protection>
  form-memory-limit 4MB
</dos_protection>

Of course you are free to choose a higher or lower limit.

Volto frontend

The default frontend for new Plone 6 sites is Volto. Latest release is 16.25.0. See the changelog.
Note that this is a JavaScript frontend that you need to run in a separate process with NodeJS.

Also, existing Plone sites need some or more extensive changes to be upgraded before they can use the Volto Frontend. Please read the guide on migrating from Plone Classic UI to Volto.

Note that Volto 17 is also available, and you can use it on Plone 6.0, but we will keep recommending Volto 16 by default.

Classic UI

The HTML based and server side rendered UI that was present in Plone 5.2 and earlier major Plone releases is still available and has also been updated and improved upon in Plone 6. Our documentation now refers to this frontend as 'Classic UI'. Support for Classic UI is especially relevant for existing Plone sites which for whatever reason or requirements are not yet ready to be upgraded to the Volto frontend.

Python compatibility

This release supports Python 3.8, 3.9, 3.10, and 3.11.

There is preliminary support for Python 3.12, but this is not officially recommended yet. Especially some changes in RestrictedPython may need to happen still.

pip, buildout, setuptools

In Plone core we use these versions to install Plone:

pip==23.3.1
setuptools==68.2.2
wheel==0.41.2
zc.buildout==3.0.1

In general you are free to use whatever versions work for you, but these worked for us.

Installation

For installation instructions, see the documentation.

Issues

If you find any issues, please report them in the main issue tracker.

plone.app.linkintegrity accidentally got downgraded to version 3. I updated it to 4.0.3.

I've tried this on 3 Classic-UI projects here and everything works like charm so far.

Works fine on a few projects with me as well.

But there are a few moving parts that would be good to solve first:

• revert a plone.base change?
• Fix problems related to the dos_protection remark in the release notes above: one or more fixes in plone.restapi and perhaps a new Zope which may increase one of the limits.

I wanted to get a release out today, before the end of October, but it feels better to postpone at least one day.

We are getting closer to a final 6.0.8 release. Now waiting for a plone.restapi fix for an error when uploading large files, mentioned in the release notes.

I have added some new releases on dist.plone.org:

plone.api 2.0.6

Bug fixes:

• More informative error message in plone.api.content.create() [ajung] (#516)

plone.app.content 4.1.0

Internal:

• Mark INameFromTitle deprecated, in this distribution, as it has been moved to plone.base.
  It will be removed in Plone 7.0.
  We do not show a deprecation warning, because doing so would break content types with this interface name in the behaviors list.
  Recommended is to use plone.namefromtitle as behavior name, then it works in all supported Plone versions.
  [gforcada] (#3858)

plone.app.dexterity 3.2.0

Internal:

• Make the dependency on plone.app.content conditional.
  This is for INameFromTitle, which we want to move to plone.base.
  [maurits] (#3858)

plone.namedfile 6.2.3

Bug fixes:

• Be more strict when checking if mimetype is allowed to be displayed inline.
  [maurits] (#1167)

plone.rest 4.1.2

Bug fixes:

• Fix parsing mimetypes in Accept header with an extra slash. @djay (#153)

plone.restapi 9.1.1

Bug fixes:

• Be more strict when checking if mimetype is allowed to be displayed inline.
  [maurits] (#1167)

Also, I missed some larger changes in plone.restapi that I should have added to the release notes:

plone.restapi:

• Remove deprecated @unlock, @refresh-lock endpoints
• Remove plone.tiles and the @tiles endpoint.
• Change the @linkintegrity endpoint to add items_total, the number of contained items which would be deleted.
• The default branch was renamed from master to main.
• Add support for getting the /@querystring endpoint in a specific context.

@mauritsvanrees p.restapi 9.1.2 is released.

We will need to update it in:
https://dist.plone.org/release/6.0-dev/versions.cfg

Thanks!

I was just about to post that I have updated it.
So we have plone.restapi 9.1.2 in with these changes:

Bug fixes:

• Fix jwt_auth extractCredentials plugin to only try to read credentials from the request body if there is a Content-Type: application/json header. @davisagli (#1728)
• Temporarily disable form memory limit checking for files and images.
  This fixes a regression due to a low Zope form memory limit of 1MB used since Plone 6.0.7.
  See CMFPlone issue 3848 <https://github.com/plone/Products.CMFPlone/issues/3848>_ and Zope PR 1142 <https://github.com/zopefoundation/Zope/pull/1142>_.
  @maurits (#3848)

Documentation:

• Remove regular expression from sphinx-copybutton configuration, now that linenos are excluded by default. @stevepiercy (#1725)

All signs are green for a Plone 6.0.8 final now. If someone can do a last check, that would be good. I will release the final later today.

Plone 6.0.8 final has been released:
https://dist.plone.org/release/6.0.8/.
Official announcements to follow later.