I've a bit of fun debugging an authentication issue in an application that recently upgraded to Zope 3.4 (using the 3.4.0 KGS). The issue was that groups defined in ZCML (such as zope.Everybody) did not get applied to principals (if "applied" is the right word here). Debugging this led me to this quiet little marvel of code in zope.securitypolicy.zopepolicy: try: group = getPrincipal(group_id) except PrincipalLookupError: # It's bad if we have an undefined principal, # but we don't want to fail here. But we won't # honor any grants for the group. We'll just skip it. continue and from there to zope.app.authentication.authentication def getPrincipal(self, id): if not id.startswith(self.prefix): next = queryNextUtility(self, IAuthentication) if next is None: raise PrincipalLookupError(id) return next.getPrincipal(id) where queryNextUtility unexpectedly returned None instead of chaining to the global IAuthentication utility, which would know about groups such as 'zope.Everybody'. Comparing the database I have here (which has been in production for years) with a freshly-created new database I noticed a difference in LocalSiteManager's attributes: old db had __bases__ == (), new db had __bases__ = (<BaseGlobalComponents>, ). An hour of cursing and fighting buildout.cfg later, I had a branch of zope.app.component where I could run the test suite. I could reproduce the issue in the unit tests and released a fix as zope.app.component 3.4.2. This is a pretty serious issue, so I'd appreciate some review from people who know about local component registries. The fix is here: http://svn.zope.org/zope.app.component/?rev=101931&view=rev I'm also wondering whether we ought to release an updated versions.cfg (as Zope KGS 3.4.1 perhaps), since the BBB issue is insidious and difficult to notice. Marius Gedminas -- http://pov.lt/ -- Zope 3 consulting and development