signer and verifier have been deprecated

Status changed to 'Confirmed' because the bug affects multiple users.

I'd really appreciate a backport of the fix. Some other distributions shipping with paramiko 2.0 ship it already, for example mageia (https://advisories.mageia.org/MGAA-2018-0077.html)

It affects everyone doing backups with duplicity over ssh, most notably when using cronjobs. Probably quite a big group. Unfortunately it's not enough to just set the log verbosity to error.

Here's the link to the upstream fix: https://github.com/paramiko/paramiko/pull/979/commits/fdc09c9f93fd189a6398d5b350a3c91011d9b4cb

I'd like to kindly request a backport (actually simply applying) it.
It's a fairly trivial and I just tested it on my server (18.04) without issues.

This bug does not involve any paramiko entry points used by duplicity, so I removed the dependency.

If I understand this correctly, then duplicity users just need to 'pip install -U paramiko' to get this fix in the newer versions. It is not something duplicity can do.

Hej Kenneth, thanks for the answer. I agree that this is a sufficient workaround, but for an LTS version of Ubuntu, I think it would be worthwhile considering backporting this fix.

People will use Ubuntu 18.04 for many years to come and many will hit this issue, especially people using it on servers and doing backups with duplicity. Installing packages from pip makes updates more complicated and dangerous and is certainly not the desired state for backup solutions. Maybe the maintainer of paramiko, @jbouse, can comment on that?

The signer and verifier part for signature_utils was fixed in 0.2.2 the certificate_utils part will be fixed by https://review.opendev.org/c/x/cursive/+/864846

Reviewed: https://review.opendev.org/c/x/cursive/+/864846
Committed: https://opendev.org/x/cursive/commit/ad4437300d06442d7b9cb83e5788a7a8ce091600
Submitter: "Zuul (22348)"
Branch: master

commit ad4437300d06442d7b9cb83e5788a7a8ce091600
Author: Tobias Urdin <email address hidden>
Date: Thu Nov 17 08:35:27 2022 +0000

    Stop using removed verifier and signer methods

    These methods is removed in [1] so we move to our
    wrappers for verifiers introduced in [2] and then
    updateo ur testing to not use signer as well.

    [1] https://github.com/pyca/cryptography/pull/6639
    [2] https://review.opendev.org/c/x/cursive/+/547146

    Closes-Bug: #1750633
    Change-Id: I07b2d9c41c5c659692e5bfd6570b66fd646faa2b