Log message:
*: convert to versioned_dependencies for py-cryptography

Log message:
*: bump PKGREVISION for egg.mk users

They now have a tool dependency on py-setuptools instead of a DEPENDS

Log message:
py-paramiko: updated to 2.8.1

2.8.1 2021-11-28
[Bug]: (also 908) Update PKey and subclasses to compare (__eq__) via direct \ 
field/attribute comparison instead of hashing (while retaining the existing \ 
behavior of __hash__ via a slight refactor). Big thanks to Josh Snyder and Jun \ 
Omae for the reports, and to Josh Snyder for reproduction details & patch.

Warning
This fixes a security flaw! If you are running Paramiko on 32-bit systems with \ 
low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which is running \ 
with PYTHONHASHSEED=0) it is possible for an attacker to craft a new keypair \ 
from an exfiltrated public key, which Paramiko would consider equal to the \ 
original key.

This could enable attacks such as, but not limited to, the following:

Paramiko server processes would incorrectly authenticate the attacker (using \ 
their generated private key) as if they were the victim. We see this as the most \ 
plausible attack using this flaw.
Paramiko client processes would incorrectly validate a connected server (when \ 
host key verification is enabled) while subjected to a man-in-the-middle attack. \ 
This impacts more users than the server-side version, but also carries higher \ 
requirements for the attacker, namely successful DNS poisoning or other MITM \ 
techniques.
[Bug] 1257: (also 1266) Update RSA and ECDSA key decoding subroutines to \ 
correctly catch exception types thrown by modern versions of Cryptography \ 
(specifically TypeError and its internal UnsupportedAlgorithm). These exception \ 
classes will now become SSHException instances instead of bubbling up. Thanks to \ 
Ignat Semenov for the report and @tylergarcianet for an early patch.
[Bug] 1024: Deleting items from HostKeys would incorrectly raise KeyError even \ 
for valid keys, due to a logic bug. This has been fixed. Report & patch \ 
credit: Jia Zhang.
[Bug] 985: (via 992) Fix listdir failure when server uses a locale. Now on \ 
Python 2.7 SFTPAttributes will decode abbreviated month names correctly rather \ 
than raise UnicodeDecodeError`. Patch courtesy of Martin Packman.

Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
py-paramiko: updated to 2.8.0

2.8.0 2021-10-09
[Feature] Add a prefetch keyword argument to SFTPClient.get/SFTPClient.getfo so \ 
users who need to skip SFTP prefetching are able to conditionally turn it off. \ 
Thanks to Github user @h3ll0r for the PR.
[Bug] Newer server-side key exchange algorithms not intended to use SHA1 \ 
(diffie-hellman-group14-sha256, diffie-hellman-group16-sha512) were incorrectly \ 
using SHA1 after all, due to a bug causing them to ignore the hash_algo class \ 
attribute. This has been corrected. Big thanks to @miverson for the report and \ 
to Benno Rice for the patch.
[Support] Remove leading whitespace from OpenSSH RSA test suite static key \ 
fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating \ 
the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro \ 
Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and \ 
testing.
[Support]: Administrivia overhaul, including but not limited to:
Migrate CI to CircleCI
Primary dev branch is now main (renamed)
Many README edits for clarity, modernization etc; including a bunch more (and \ 
consistent) status badges & unification with main project site index
PyPI page much more fleshed out (long_description is now filled in with the \ 
README; sidebar links expanded; etc)
flake8, pytest configs split out of setup.cfg into their own files
Invoke/invocations (used by maintainers/contributors) upgraded to modern versions

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
py-paramiko: updated to 2.7.2

2.7.2:
[Bug] Fix incorrectly swapped order of p and q numbers when loading \ 
OpenSSH-format RSA private keys. At minimum this should address a slowdown when \ 
using such keys, and it also means Paramiko works with Cryptography 3.1 and \ 
above (which complains strenuously when this problem appears). Thanks to Alex \ 
Gaynor for the patch.
[Bug]: Fix incorrect string formatting causing unhelpful error message \ 
annotation when using Kerberos/GSSAPI. (Thanks, newer version of flake8!)
[Support] Remove leading whitespace from OpenSSH RSA test suite static key \ 
fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating \ 
the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro \ 
Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and \ 
testing.

Log message:
pytest from versioned depends

Log message:
all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.

Log message:
py-paramiko: updated to 2.7.1

2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key \ 
format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding \ 
bug which had been fixed earlier for Ed25519 (as that key type has always used \ 
the newer format). That fix has been refactored and applied to the base key \ 
class, courtesy of Pierce Lopez.

2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, \ 
from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality \ 
(CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and \ 
CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). \ 
All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. \ 
Previously, this keyword was simply ignored & keywords inside such blocks \ 
were treated as if they were part of the previous block. Thanks to Michael \ 
Leinartas for the initial patchset.

Note
This feature adds a new optional install dependency, Invoke, for managing Match \ 
exec subprocesses.

[Feature]: A couple of outright SSHConfig parse errors were previously \ 
represented as vanilla Exception instances; as part of recent feature work a \ 
more specific exception class, ConfigParseError, has been created. It is now \ 
also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically \ 
denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s \ 
BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth \ 
error from “modern” keys generated on newer operating system releases (such \ 
as macOS Mojave), this is the first update to try.

Major thanks to everyone who contributed or tested versions of the patch, \ 
including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and \ 
Jared Hobbs.

[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; \ 
previously, if your config would result in the same value being encountered more \ 
than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally \ 
imported to prevent issues on limited interpreter platforms like Google Compute \ 
Engine. However, any resulting ImportError was lost instead of preserved for \ 
raising (in the rare cases where a user tried leveraging ProxyCommand in such an \ 
environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the \ 
local username ($USER env var), compared to what the (much older) client \ 
connection code does (getpass.getuser, which includes $USER but may check other \ 
variables first, and is generally much more comprehensive). Both modules now use \ 
getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. \ 
Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, \ 
invoke, and all) have been added to our packaging metadata; see the install docs \ 
for details.