New “time since last post” high score! At this rate I’ll end up blogging once a decade 😰 Some quick updates today, including a moderately sized Paramiko announcement.
Paramiko 5, now with fewer features!
Getting this out of the way early: Paramiko 5.0 is out now! - but most of the updates are actually removals instead of additions. Specifically, removing a lot of old, insecure algorithms and related functionality, and areas of the codebase that were significant support burdens with low upsides.
No more SHA1 anywhere; no more use of MD5 anywhere; no more GSSAPI (until
somebody contributes a SHA256-compatible rework, anyways); no more demos/;
and more besides.
Naturally, there are still some non-removal improvements, including but not
limited to: ability to select OpenSSH vs PEM format when writing out new
private key files; the newish PKey.from_type_string() meta-constructor now
forwards the password kwarg for encrypted private keys; inconsistencies in
other key constructors’ kwargs were fixed; an Ed25519Key introspection bug
was fixed; etc!
OK, but why?!
I’m burying the lede a bit - we got audited! 🎉 No, not the tax kind, the security kind. The fine folks at OSTIF brought me (and to a degree, my compatriots over at Cryptography.io) and security firm Quarkslab together to have the codebase (and CI, and tooling, and everything else) audited for security issues.
Their findings included some long-standing issues (we’ve always been quite slow at dropping old algorithms…), as well as quite a few unknown problems. In addition to reporting the findings, they recommended fixes and helped workshop my commits as I went.
We remediated all the high priority findings and many of the lower priority ones, resulting in Paramiko 5.0! Working with both groups was a pleasure and I’m super grateful for their input and expertise (and their patience).
You can find OSTIF’s blog post here: https://ostif.org/paramiko-audit-complete/ and Quarkslab’s here: https://blog.quarkslab.com/paramiko-security-audit.html
And I’ll repeat our own changelog link, for good measure: https://www.paramiko.org/changelog.html#5.0.0 - as always, I tried to include rationales for removals, and clearly marked backwards incompatibilities. Those of you who weren’t relying on these outdated algorithms will likely notice very few required changes on your end.
You said “updates”, plural - what else?
Nothing quite as exciting, just some life updates:
Title change
I’m now a fulltime devops engineer again, and without switching companies! I missed hacking on systems/tooling related things all day instead of only once in a while. (I didn’t miss the increased level of interrupts, but, that comes with the territory - and I now have two other dedicated teammates to share the load.)
We’re still hiring non-devops product engineers (as well as looking for a good devops manager/leader): https://www.reach.security/careers - tell ’em I sent you. (Make sure to include my last name, so you don’t confuse our recruiter, whose name is also Jeff!)
PyCon US 2026
I will be attending PyCon US 2026 in Long Beach, CA from May 13-19. Drop me a line if you want to say hi! This will be my first time visiting SoCal (unless you count driving the long way around during my move to the Bay Area in 2011…) so it’ll be interesting.
It’s also my first time flying since the COVID pandemic started 😬 hoping the currently low transmission levels and my trusty N95s keep me safe! Also very excited that SoCal being SoCal means lots of outdoor dining opportunities…
Why do I always feel compelled to stick an outro on these things?
Great question! Please tell me if you figure it out. As always, thanks for reading! Exclamation point!