For some time now, plans to switch Paramiko’s crypto backend from PyCrypto to PyCA’s Cryptography have been in motion. (Sometimes, slow-motion. Sorry.) These efforts are drawing to a close, and because they represent a nontrivial change in install dependencies – even though there aren’t any public API changes – we’re going to call the result Paramiko 2.0.

Why the switch?

There’s a few great reasons for this move:

  • For starters, everything listed by Alex Gaynor in the description of #394. Cleaner, better performance, no requirement for C toolchain on some platforms, PyPy, etc. These alone are reason enough.
  • In addition, maintenance slowdown at PyCrypto is starting to introduce active, exploitable security issues and the situation doesn’t appear slated to improve.

No public API changes, really?

Yes, but. Chances are good we’ll put out a 3.x line in the near future with those in tow. Even in this case, most users aren’t likely to experience breakage – only those relying on fixed corner-case behaviors or rarely-used API calls.

General upgrade notes

Cryptography is available in static binary wheels if you’re on Windows or Mac and have pip 8+. Otherwise, you just need to add OpenSSL and libffi development headers to your existing C build toolchain and Python development headers.

Details can be found on Cryptography’s install docs and the Paramiko install docs will reflect this too, once 2.0 is released.

Fabric users

We released 1.10.3 and 1.11.x in the last few months, both of which changed Fabric’s to depend on paramiko<2, to avoid nasty surprises on fresh installs or upgrades. Please upgrade to these if possible!

For those who want to get on Paramiko 2.0 with Fabric 1.x, we may revert that version restriction in Fabric 1.12 or 1.13, or otherwise investigate parameterized installation methods. (Unfortunately, setuptools’ extras functionality doesn’t appear to enable this sort of thing, so pip install fabric[newer-paramiko] seems out of the question.)

Fabric 2.x will almost definitely require Paramiko 2.x (or 3.x) and up. Stay tuned.