---
- branch: MAIN
  date: Tue Jul 18 15:54:43 UTC 2023
  files:
  - new: '1.49'
    old: '1.48'
    path: pkgsrc/security/py-paramiko/Makefile
    pathrev: pkgsrc/security/py-paramiko/Makefile@1.49
    type: modified
  - new: '1.19'
    old: '1.18'
    path: pkgsrc/security/py-paramiko/PLIST
    pathrev: pkgsrc/security/py-paramiko/PLIST@1.19
    type: modified
  - new: '1.32'
    old: '1.31'
    path: pkgsrc/security/py-paramiko/distinfo
    pathrev: pkgsrc/security/py-paramiko/distinfo@1.32
    type: modified
  id: 20230718T155443Z.a68823db7ff728177107d6b004dfe75f64417bd5
  log: "py-paramiko: updated to 3.2.0\n\n3.2.0 2023-05-25\n[Feature]: PKey grew a
    new .fingerprint property which emits a fingerprint string matching the SHA256+Base64
    values printed by various OpenSSH tooling (eg ssh-add -l, ssh -v). This is intended
    to help troubleshoot Paramiko-vs-OpenSSH behavior and will eventually replace
    the venerable get_fingerprint method.\n\n[Feature]: PKey grew a new .algorithm_name
    property which displays the key algorithm; this is typically derived from the
    value of get_name. For example, ED25519 keys have a get_name of ssh-ed25519 (the
    SSH protocol key type field value), and now have a algorithm_name of ED25519.\n\n[Feature]:
    PKey now offers convenience 窶å¾\x87eta-constructors窶�, static methods that
    simplify the process of instantiating the correct subclass for a given key input.\n\nFor
    example, PKey.from_path can load a file path without knowing a priori what type
    of key it is (thanks to some handy methods within our cryptography dependency).
    Going forwards, we expect this to be the primary method of loading keys by user
    code that runs on 窶å¾\x82uman time窶� (i.e. where some minor efficiencies
    are worth the convenience).\n\nIn addition, PKey.from_type_string now exists,
    and is being used in some internals to load ssh-agent keys.\n\nAs part of these
    changes, PKey and friends grew an identifiers classmethod; this is inspired by
    the supported_key_format_identifiers classmethod (which now refers to the new
    method.) This also includes adding a .name attribute to most key classes (which
    will eventually replace .get_name().\n\n[Feature]: Enhanced AgentKey with new
    attributes, such as:\n\nAdded a comment attribute (and constructor argument);
    Agent.get_keys() now uses this kwarg to store any comment field sent over by the
    agent. The original version of the agent feature inexplicably did not store the
    comment anywhere.\nAgent-derived keys now attempt to instantiate a copy of the
    appropriate key class for access to other algorithm-specific members (eg key size).
    This is available as the .inner_key attribute.\nNote\nThis functionality is now
    in use in Fabric窶å\x86± new --list-agent-keys feature, as well as in Paramiko窶å\x86±
    debug logging.\n[Feature] Users of SSHClient can now configure the authentication
    logic Paramiko uses when connecting to servers; this functionality is intended
    for advanced users and higher-level libraries such as Fabric. See auth_strategy
    for details.\n\nFabric窶å\x86± co-temporal release includes a proof-of-concept
    use of this feature, implementing an auth flow much closer to that of the OpenSSH
    client (versus Paramiko窶å\x86± legacy behavior). It is strongly recommended
    that if this interests you, investigate replacing any direct use of SSHClient
    with Fabric窶å\x86± Connection.\n\nWarning\nThis feature is EXPERIMENTAL; please
    see its docs for details.\n[Feature]: Implement _fields() on AgentKey so that
    it may be compared (via ==) with other PKey instances.\n\n[Bug]: AgentKey had
    a dangling Python 3 incompatible __str__ method returning bytes. This method has
    been removed, allowing the superclass窶� (PKey) method to run instead.\n\n[Bug]
    Since its inception, Paramiko has (for reasons lost to time) implemented authentication
    as a side effect of handling affirmative replies to MSG_SERVICE_REQUEST protocol
    messages. What this means is Paramiko makes one such request before every MSG_USERAUTH_REQUEST,
    i.e. every auth attempt.\n\nOpenSSH doesn窶å\x86² care if clients send multiple
    service requests, but other server implementations are often stricter in what
    they accept after an initial service request (due to the RFCs not being clear).
    This can result in odd behavior when a user doesn窶å\x86² authenticate successfully
    on the very first try (for example, when the right key for a target host is the
    third in one窶å\x86± ssh-agent).\n\nThis version of Paramiko now contains an
    opt-in Transport subclass, ServiceRequestingTransport, which more-correctly implements
    service request handling in the Transport, and uses an auth-handler subclass internally
    which has been similarly adapted. Users wanting to try this new experimental code
    path may hand this class to SSHClient.connect as its transport_factory kwarg.\n\nWarning\nThis
    feature is EXPERIMENTAL and its code may be subject to change.\n\nIn addition:\nminor
    backwards incompatible changes exist in the new code paths, most notably the removal
    of the (inconsistently applied and rarely used) event arguments to the auth_xxx
    methods.\nGSSAPI support has only been partially implemented, and is untested.\nNote\nSome
    minor backwards-compatible changes were made to the existing Transport and AuthHandler
    classes to facilitate the new code. For example, Transport._handler_table and
    AuthHandler._client_handler_table are now properties instead of raw attributes.\n[Bug]
    The server-sig-algs and RSA-SHA2 features added around Paramiko 2.9 or so, had
    the annoying side effect of not working with servers that don窶å\x86² support
    either of those feature sets, requiring use of disabled_algorithms to forcibly
    disable the SHA2 algorithms on Paramiko窶å\x86± end.\n\nThe experimental ServiceRequestingTransport
    (noted in its own entry in this changelog) includes a fix for this issue, specifically
    by falling back to the same algorithm as the in-use pubkey if it窶å\x86± in the
    algorithm list (leaving the 窶彷irst algorithm in said list窶� as an absolute
    final fallback).\n\n[Bug]: Fixed a very sneaky bug found at the apparently rarely-traveled
    intersection of RSA-SHA2 keys, certificates, SSH agents, and stricter-than-OpenSSH
    server targets. This manifested as yet another 窶忤ell, if we turn off SHA2
    at one end or another, everything works again窶� problem, for example with
    version 12 of the Teleport server endpoint.\n\nThis has been fixed; Paramiko tweaked
    multiple aspects of how it requests agent signatures, and the agent appears to
    do the right thing now.\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/py-paramiko'
  unixtime: '1689695683'
  user: adam