Should we remove security patches after a plone upgrade?

Question

If a plone version is upgraded, should security patches be removed?

Hypothetical example:

• Plone X.4.4 is running with Security Patch-XYZ from May 4th 2015
• Plone is upgraded to X.4.5 which is released after Security Patch-XYZ

I assume the security patches are included in the next release. Should they be removed from our build?

Thanks.

Answer 1

In general, yes. There is one exception to date: the 20151006 hotfix, which is only partially included in Plone 4.3.9. See the hotfix notes for detail. The background is that this hotfix applies some very aggressive automated CSRF defenses that are not appropriate for all situations.

When in doubt, check the hotfix page or the full hotfix list.

Answer 2

In addition to Steve's answer: it is advised to remove the hotfixes from your buildout when the patches are included in core Plone, but when you forget this no breakage is expected. In most cases the worst that will happen is that you get a warning in the logs that a hotfix could not be cleanly applied.