Merge branch 'master' into RestrictedPython-alpha

.travis.yml

@@ -3,9 +3,7 @@ language: python
 matrix:
     include:
         - python: "3.6"
-          env: TOXENV=lint-py36
-        - python: "3.5"
-          env: TOXENV=py35
+          env: TOXENV=lint
         - python: "3.6"
           env: TOXENV=py36
         - python: "3.7"
@@ -36,3 +34,4 @@ cache:
   pip: true
   directories:
     - eggs/
+

CHANGES.rst

@@ -1,30 +1,46 @@
 Change log
 ==========
 
-These are all the changes for Zope 5, starting with the alpha releases.
+These are all the changes for Zope 5, starting with the alpha releases,
+since the branch point at Zope 4.1.2.
 
 The change log for the previous version, Zope 4, is at
 https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 
-5.0a2 (unreleased)
+
+5.0a3 (unreleased)
 ------------------
 
-(These are the changes since Zope 4.3 Besides the backwards incompatible
-changes all changes have been merged back to Zope 4.x.)
+- Drop support for Python 3.5 as it will run out of support soon.
+  (`#841 <https://github.com/zopefoundation/Zope/issues/841>`_)
 
-Backwards incompatible changes
-++++++++++++++++++++++++++++++
+- Decrease cookie size for copy/paste clipboard cookie
+  (`#854 <https://github.com/zopefoundation/Zope/issues/854>`_)
 
-- None, yet.
+- Fix ``default`` keyword handling in page templates
+  (`#846 <https://github.com/zopefoundation/Zope/issues/846>`_)
 
-New features
-++++++++++++
+- Fix parsing of package version and show correct major version in the ZMI
+
+- Improve solidity of the ``debugError`` method.
+  (`#829 <https://github.com/zopefoundation/Zope/issues/829>`_)
+
+- Use ``Chameleon`` (>= 3.7.2) configuration to get better
+  information for errors detected during template execution
+  (`#837 <https://github.com/zopefoundation/Zope/issues/837>`_).
 
-- Add preliminary support for Python 3.9: the latest pre-release is tested.
+
+5.0a2 (2020-04-24)
+------------------
 
 Bug fixes
 +++++++++
 
+- Pin ``AccessControl`` 4.2 for the `Manage WebDAV Locks` permission
+
+- Fix ``HEAD`` requests on registered views
+  (`#816 <https://github.com/zopefoundation/Zope/issues/816>`_)
+
 - Improve ``chameleon`` --> ``zope.tales`` context wrapper
   (support for template variable injection)
   (`#812 <https://github.com/zopefoundation/Zope/pull/812>`_).
@@ -44,7 +60,6 @@ Bug fixes
 - Fixed fallback implementation of ``manage_DAVget``
   (`#799 <https://github.com/zopefoundation/Zope/issues/799>`_)
 
-
 Other changes
 +++++++++++++
 
@@ -54,10 +69,6 @@ Other changes
 5.0a1 (2020-02-28)
 ------------------
 
-These are the changes since Zope 4.1.2 where the Zope 5 branch was created
-from. Besides the backwards incompatible changes all changes have been merged
-back to Zope 4.x.
-
 Backwards incompatible changes
 ++++++++++++++++++++++++++++++
 

appveyor.yml

@@ -6,8 +6,6 @@ environment:
     - TOXENV: py38
     - TOXENV: py37
     - TOXENV: py36
-    - TOXENV: py35
-    - TOXENV: lint-py36
 
 install:
   - pip install tox

buildout.cfg

@@ -148,7 +148,6 @@ recipe = zc.recipe.egg
 eggs =
     Zope[docs]
     Sphinx
-    tempstorage
 scripts =
     sphinx-build
 

constraints.txt

@@ -1,18 +1,18 @@
-AccessControl==4.1
+AccessControl==4.2
 Acquisition==4.6
 AuthEncoding==4.1
-BTrees==4.6.1
-Chameleon==3.7.0
+BTrees==4.7.2
+Chameleon==3.8.0
 DateTime==4.3
-DocumentTemplate==3.2.2
+DocumentTemplate==3.2.3
 ExtensionClass==4.4
 Missing==4.1
 MultiMapping==4.1
 Paste==3.4.0
 PasteDeploy==2.1.0
 Persistence==3.0
 Products.BTreeFolder2==4.2
-Products.ZCatalog==5.0.4
+Products.ZCatalog==5.1
 Record==3.5
 RestrictedPython==5.0
 SecretStorage==3.1.2
@@ -23,14 +23,14 @@ ZConfig==3.5.0
 ZEO==5.2.1
 ZODB==5.5.1
 Zope2==4.0
-cryptography==2.8
+cryptography==2.9.2
 five.localsitemanager==3.2.2
 funcsigs==1.0.2
 future==0.18.2
 ipaddress==1.0.23
 jeepney==0.4.3
 mock==4.0.2
-pbr==5.4.4
+pbr==5.4.5
 persistent==4.6.4
 pytz==2019.3
 roman==3.2
@@ -51,8 +51,8 @@ zope.browserresource==4.4
 zope.cachedescriptors==4.3.1
 zope.component==4.6.1
 zope.componentvocabulary==2.2.0
-zope.configuration==4.3.1
-zope.container==4.3.0
+zope.configuration==4.4.0
+zope.container==4.4.0
 zope.contentprovider==4.2.1
 zope.contenttype==4.5.0
 zope.datetime==4.2.0
@@ -61,32 +61,32 @@ zope.deprecation==4.4.0
 zope.dottedname==4.3
 zope.event==4.4
 zope.exceptions==4.3
-zope.filerepresentation==4.2.0
+zope.filerepresentation==5.0.0
 zope.formlib==4.7.1
 zope.globalrequest==1.5
 zope.hookable==5.0.1
 zope.i18n==4.7.0
 zope.i18nmessageid==5.0.1
-zope.interface==4.7.2
+zope.interface==5.1.0
 zope.lifecycleevent==4.3.0
 zope.location==4.2
 zope.pagetemplate==4.5.0
 zope.processlifetime==2.3.0
 zope.proxy==4.3.5
 zope.ptresource==4.2.0
-zope.publisher==5.1.1
+zope.publisher==5.2.0
 zope.ramcache==2.3
-zope.schema==4.9.3
+zope.schema==6.0.0
 zope.security==5.1.1
 zope.sendmail==5.0
 zope.sequencesort==4.1.2
-zope.site==4.2.2
+zope.site==4.3.0
 zope.size==4.3
 zope.structuredtext==4.3
 zope.tal==4.4
 zope.tales==5.0.2
 zope.testbrowser==5.5.1
 zope.testing==4.7
 zope.testrunner==5.1
-zope.traversing==4.3.1
+zope.traversing==4.4.1
 zope.viewlet==4.2.1

docs/INSTALL.rst

@@ -15,7 +15,7 @@ available:
 
 - A supported version of Python, including the development support if
   installed from system-level packages.  Supported versions include
-  **3.5** up to **3.8**.
+  **3.6** up to **3.8**.
 
 - Zope needs the Python ``zlib`` module to be importable.  If you are
   building your own Python from source, please be sure that you have the

docs/index.rst

@@ -10,6 +10,7 @@ This is the official home for all Zope documentation.
    operation
    migrations/index
    maintenance
+   roadmap
    changes
    zopebook/index
    zdgbook/index

docs/news.rst

@@ -20,7 +20,7 @@ What's new in Zope 5
 
 Dropped support for Python 2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Zope 5 supports Python 3 only, versions 3.5 up through 3.8. All support code
+Zope 5 supports Python 3 only, versions 3.6 up through 3.8. All support code
 and special casing for Python 2, including the use of the ``six`` package, have
 been removed.
 

docs/operation.rst

@@ -446,7 +446,7 @@ done.
 Troubleshooting
 ---------------
 
-- This version of Zope requires Python 3.5 and later.
+- This version of Zope requires Python 3.6 and later.
   It will *not* run with any version of PyPy.
 
 - To build Python extensions you need to have Python configuration

docs/roadmap.rst

@@ -0,0 +1,63 @@
+Zope development roadmap
+========================
+
+The Zope development and support roadmap. **Last updated: June 2020**
+
+
+Zope 2.13 - previous version
+----------------------------
+
+* Python support:
+
+    - 2.7
+
+* Support schedule:
+
+    - Full support: -
+    - Bug fixes: -
+    - Security fixes: until 12/31/2020 [1]_
+
+
+Zope 4 - stable version
+-----------------------
+
+* Python support:
+
+    - 2.7
+    - 3.5
+    - 3.6
+    - 3.7
+    - 3.8
+
+* Support schedule:
+
+    - Full support: until Zope 5.0 is released, planned for September 2020
+    - Bug fixes: until 12/31/2021
+    - Security fixes: until 12/31/2022 [2]_
+
+
+Zope 5 - development version
+----------------------------
+
+* Python support:
+
+    - 3.6
+    - 3.7
+    - 3.8
+    - 3.9 (may wait until Zope 5.1)
+
+* Support schedule:
+
+    - Full support: starting with the Zope 5.0 release, planned
+      for September 2020
+    - Bug fixes: TBD
+    - Security fixes: TBD
+
+
+See the `Plone release schedule <https://plone.org/download/release-schedule>`_
+for details about Plone version support. Zope will track some of their
+milestones with its own releases.
+
+
+.. [1] End of security fix support for Plone releases based on Zope 2.13
+.. [2] End of security fix support for Plone releases based on Zope 4

docs/zdgbook/Security.rst

@@ -38,8 +38,14 @@ determine whether to allow or deny access to a visitor for a
 particular object.  For example, when a user visits the root
 ``index_html`` object of your site via HTTP, the security policy is
 consulted by ``ZPublisher`` to determine whether the user has
-permission to view the ``index_html`` object itself.  For more
-information on this topic, see the chapter on :doc:`ObjectPublishing`.
+permission to view the ``index_html`` object itself.
+
+On top of that, the publisher also defines other rules to determine
+which objects can be published. The most important of these is that 
+objects which are published must have a docstring.
+
+For more information on this topic, see the chapter on 
+:doc:`ObjectPublishing`.
 
 
 How The Security Policy Relates to Restricted Code
@@ -129,6 +135,10 @@ In short, the default Zope security policy ensures the following:
   user does not possess a role that has been granted the permission
   in question, access is denied.
 
+- objects can only be published if they have a doc string. This
+  restriction exists outside the security policy itself. 
+
+
 As we delve further into Zope security within this chapter, we'll see
 exactly what it means to associate security information with an
 object.