Remove-icecream-dep.patch

@@ -1,26 +0,0 @@
---- a/dev-requirements.txt
-+++ b/dev-requirements.txt
-@@ -17,7 +17,5 @@ coverage>=6.2,<7
- alabaster==0.7.13
- releases>=2.1
- watchdog<2
--# Debuggery
--icecream>=2.1
- # Self (sans GSS which is a pain to bother with most of the time)
- -e ".[invoke]"
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -22,13 +22,6 @@ from ._loop import LoopSocket
- from ._stub_sftp import StubServer, StubSFTPServer
- from ._util import _support
- 
--from icecream import ic, install as install_ic
--
--
--# Better print() for debugging - use ic()!
--install_ic()
--ic.configureOutput(includeContext=True)
--
- 
- # Perform logging by default; pytest will capture and thus hide it normally,
- # presenting it on error/failure. (But also allow turning it off when doing

add-insecure-algorithm-log.patch

@@ -1,133 +0,0 @@
-From 6c4f54130d892f5034ac40d139ff27b8bb4d1927 Mon Sep 17 00:00:00 2001
-From: zhangpan <zhangpan103@h-partners.com>
-Date: Fri, 12 Apr 2024 12:47:45 +0800
-Subject: [PATCH] Add Insecure Algorithm Logs
-
----
- paramiko/auth_handler.py |  5 ++++
- paramiko/transport.py    | 65 ++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 70 insertions(+)
-
-diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
-index db89670..0454358 100644
---- a/paramiko/auth_handler.py
-+++ b/paramiko/auth_handler.py
-@@ -384,6 +384,11 @@ class AuthHandler(object):
-                 m.add_boolean(True)
-                 key_type, bits = self._get_key_type_and_bits(self.private_key)
-                 algorithm = self._finalize_pubkey_algorithm(key_type)
-+                if not list (
-+                        filter(
-+                            algorithm.__contains__,
-+                            self.transport._whitelist_pubkeys)):
-+                    self._log(WARNING, "Insecure PubKey algorithm may be used: {}".format(algorithm))
-                 m.add_string(algorithm)
-                 m.add_string(bits)
-                 blob = self._get_session_blob(
-diff --git a/paramiko/transport.py b/paramiko/transport.py
-index 5265e09..e8ff0e0 100644
---- a/paramiko/transport.py
-+++ b/paramiko/transport.py
-@@ -213,6 +213,43 @@ class Transport(threading.Thread, ClosingContextManager):
-     )
-     _preferred_compression = ("none",)
- 
-+    _whitelist_ciphers = (
-+        "aes128-ctr",
-+        "aes192-ctr",
-+        "aes256-ctr",
-+        "chacha20-poly1305@openssh.com",
-+        "aes128-gcm@openssh.com",
-+        "aes256-gcm@openssh.com",
-+    )
-+
-+    _whitelist_macs = (
-+        "hmac-sha2-512",
-+        "hmac-sha2-512-etm@openssh.com",
-+        "hmac-sha2-256",
-+        "hmac-sha2-256-etm@openssh.com",
-+    )
-+
-+    _whitelist_keys = (
-+        "ssh-ed25519",
-+        "ecdsa-sha2-nistp256",
-+        "ssh-ed25519-cert-v01@openssh.com",
-+        "rsa-sha2-256",
-+        "rsa-sha2-512",
-+    )
-+
-+    _whitelist_pubkeys = (
-+        "ssh-ed25519",
-+        "ssh-ed25519-cert-v01@openssh.com",
-+        "rsa-sha2-256",
-+        "rsa-sha2-512",
-+    )
-+
-+    _whitelist_kex = (
-+        "curve25519-sha256",
-+        "curve25519-sha256@libssh.org",
-+        "diffie-hellman-group-exchange-sha256",
-+    )
-+
-     _cipher_info = {
-         "aes128-ctr": {
-             "class": algorithms.AES,
-@@ -2507,6 +2544,13 @@ class Transport(threading.Thread, ClosingContextManager):
-                 "Incompatible ssh peer (no acceptable kex algorithm)"
-             )  # noqa
-         self.kex_engine = self._kex_info[agreed_kex[0]](self)
-+
-+        if not list (
-+                filter(
-+                    agreed_kex[0].__contains__,
-+                    self._whitelist_kex)):
-+            self._log(WARNING, "Insecure Kex algorithm may be used: {}".format(agreed_kex[0]))
-+
-         self._log(DEBUG, "Kex: {}".format(agreed_kex[0]))
- 
-         if self.server_mode:
-@@ -2534,6 +2578,13 @@ class Transport(threading.Thread, ClosingContextManager):
-             raise IncompatiblePeer(
-                 "Incompatible ssh peer (can't match requested host key type)"
-             )  # noqa
-+
-+        if not list (
-+                filter(
-+                    self.host_key_type.__contains__,
-+                    self._whitelist_keys)):
-+            self._log(WARNING, "Insecure HostKey algorithm may be used: {}".format(self.host_key_type))
-+
-         self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0])
- 
-         if self.server_mode:
-@@ -2568,6 +2619,13 @@ class Transport(threading.Thread, ClosingContextManager):
-             )  # noqa
-         self.local_cipher = agreed_local_ciphers[0]
-         self.remote_cipher = agreed_remote_ciphers[0]
-+
-+        if not list (
-+                filter(
-+                    self.local_cipher.__contains__,
-+                    self._whitelist_ciphers)):
-+            self._log(WARNING, "Insecure Cipher algorithm may be used: {}".format(self.local_cipher))
-+
-         self._log_agreement(
-             "Cipher", local=self.local_cipher, remote=self.remote_cipher
-         )
-@@ -2592,6 +2650,13 @@ class Transport(threading.Thread, ClosingContextManager):
-             )
-         self.local_mac = agreed_local_macs[0]
-         self.remote_mac = agreed_remote_macs[0]
-+
-+        if not list (
-+                filter(
-+                    self.local_mac.__contains__,
-+                    self._whitelist_macs)):
-+            self._log(WARNING, "Insecure Mac algorithm may be used: {}".format(self.local_mac))
-+
-         self._log_agreement(
-             "MAC", local=self.local_mac, remote=self.remote_mac
-         )
--- 
-2.33.0
-

backport-Skip-tests-requiring-invoke.patch

@@ -0,0 +1,37 @@
+From 2dc654a20c4f1908d587060809a9d67b31352497 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Thu, 16 Apr 2020 09:46:39 +0200
+Subject: [PATCH] Skip tests requiring invoke if it's not installed
+ 
+Since invoke is an optional dependency and only one group of tests
+require it, skip them gracefully rather than failing if it's not
+present.
+---
+ tests/test_config.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+ 
+diff --git a/tests/test_config.py b/tests/test_config.py
+index 5e9aa0592..2095061f2 100644
+--- a/tests/test_config.py
++++ b/tests/test_config.py
+@@ -6,7 +6,11 @@
+ 
+ from paramiko.py3compat import string_types
+ 
+-from invoke import Result
++try:
++    from invoke import Result
++except ImportError:
++    Result = None
++
+ from mock import patch
+ from pytest import raises, mark, fixture
+ 
+@@ -705,6 +709,7 @@ def inner(command, *args, **kwargs):
+     return inner
+ 
+ 
++@mark.skipif(Result is None, reason="requires invoke package")
+ class TestMatchExec(object):
+     @patch("paramiko.config.invoke", new=None)
+     @patch("paramiko.config.invoke_import_error", new=ImportError("meh"))

paramiko-2.7.2-drop-pytest-relaxed.patch

@@ -0,0 +1,62 @@
+From 953d9a1f1055de97e35c7060fcebc7283eff9e29 Mon Sep 17 00:00:00 2001
+From: zhaorenhai <zhaorenhai@hotmail.com>
+Date: Fri, 29 Jan 2021 06:48:10 +0000
+Subject: [PATCH] drop pytest-relaxed
+
+---
+ tests/test_client.py | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tests/test_client.py b/tests/test_client.py
+index 60ad310c..2d665cdd 100644
+--- a/tests/test_client.py
++++ b/tests/test_client.py
+@@ -33,7 +33,7 @@ import warnings
+ import weakref
+ from tempfile import mkstemp
+ 
+-from pytest_relaxed import raises
++from pytest import raises
+ from mock import patch, Mock
+ 
+ import paramiko
+@@ -684,10 +684,10 @@ class PasswordPassphraseTests(ClientTest):
+ 
+     # TODO: more granular exception pending #387; should be signaling "no auth
+     # methods available" because no key and no password
+-    @raises(SSHException)
+     def test_passphrase_kwarg_not_used_for_password_auth(self):
+-        # Using the "right" password in the "wrong" field shouldn't work.
+-        self._test_connection(passphrase="pygmalion")
++        with raises(SSHException):
++            # Using the "right" password in the "wrong" field shouldn't work.
++            self._test_connection(passphrase='pygmalion')
+ 
+     def test_passphrase_kwarg_used_for_key_passphrase(self):
+         # Straightforward again, with new passphrase kwarg.
+@@ -705,14 +705,14 @@ class PasswordPassphraseTests(ClientTest):
+             password="television",
+         )
+ 
+-    @raises(AuthenticationException)  # TODO: more granular
+     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
+         self
+     ):
+-        # Sanity: if we're given both fields, the password field is NOT used as
+-        # a passphrase.
+-        self._test_connection(
+-            key_filename=_support("test_rsa_password.key"),
+-            password="television",
+-            passphrase="wat? lol no",
+-        )
++        with raises(AuthenticationException): # TODO: more granular
++            # Sanity: if we're given both fields, the password field is NOT used as
++            # a passphrase.
++            self._test_connection(
++                key_filename=_support('test_rsa_password.key'),
++                password='television',
++                passphrase='wat? lol no',
++            )
+-- 
+2.27.0
+

python-paramiko.spec

@@ -1,13 +1,15 @@
 Name:          python-paramiko
-Version:       3.4.0
+Version:       2.8.1
 Release:       2
 Summary:       Python SSH module
 License:       LGPLv2+
 URL:           https://github.com/paramiko/paramiko
 Source0:       https://github.com/paramiko/paramiko/archive/%{version}/paramiko-%{version}.tar.gz
 
-Patch0:        Remove-icecream-dep.patch
+Patch0:        paramiko-2.7.2-drop-pytest-relaxed.patch
-Patch9000:     add-insecure-algorithm-log.patch
+# Skip tests requiring invoke if it's not installed
+# Can be removed when https://github.com/paramiko/paramiko/pull/1667/ is released
+Patch6000:      backport-Skip-tests-requiring-invoke.patch
 
 BuildArch:     noarch
 
@@ -18,12 +20,11 @@ connections to remote machines.
 
 %package       -n python3-paramiko
 Summary:       Python SSH module
-BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.2 python3-pytest
+BuildRequires: python3-devel python3-setuptools python3-bcrypt >= 3.1.3 python3-pytest
-BuildRequires: python3-cryptography >= 3.3 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.5
+BuildRequires: python3-cryptography >= 2.5 python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
 BuildRequires: python3-mock >= 2.0
-BuildRequires: python3-lexicon >= 2.0.1 python3-invoke python3-pytest-relaxed
+Requires:      python3-bcrypt >= 3.1.3 python3-cryptography >= 1.5
-Requires:      python3-bcrypt >= 3.2 python3-cryptography >= 3.3
+Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.0.1
-Requires:      python3-pyasn1 >= 0.1.7 python3-pynacl >= 1.5
 %{?python_provide:%python_provide python3-paramiko}
 
 %description   -n python3-paramiko
@@ -56,6 +57,7 @@ sphinx-build -b html sites/docs/ html/
 rm -f html/.buildinfo
 
 %check
+rm -f tests/test_sftp*.py
 PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 
 %files -n python3-paramiko
@@ -64,24 +66,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} pytest-%{python3_version}
 %{python3_sitelib}/paramiko/
 
 %files help
-%doc html/ demos/ README.rst
+%doc html/ demos/ NEWS README.rst
 
 %changelog
-* Tue Jun 25 2024 zhangpan <zhangpan103@h-partners.com> - 3.4.0-2
-- add insecure algorithm log
-
-* Tue Jan 09 2024 yaoxin <yao_xin001@hoperun.com> - 3.4.0-1
-- Upgrade to 3.4.0 for fix CVE-2023-48795
-
-* Thu Jun 15 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.0-1
-- Update to 3.2.0
-
-* Thu Jun 23 2022 houyingchao <houyingchao@h-partners.com> - 2.11.0-1
-- Upgrade to version 2.11.0
-
-* Mon Mar 28 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2.8.1-3
-- fix CVE-2022-24302 and the rear patch of CVE-2022-24302
-
 * Sat Feb 26 2022 zhanzhimin <zhanzhimin@h-partners.com> - 2.8.1-2
 - drop invoke dependencies as it requires ancient pytest