pip install fabric[paramiko-2]
Perhaps consider an intermediary state, where for one or two releases, the fabric setup.py allows both paramiko>=2 and paramiko<2, and people will get cryptography by default, but can force the old PyCrypto version if they need it. Once that's burned in a little, you can move setup.py to require paramiko>=2.
Not sure I'd ever make Fabric 1.x require paramiko>=2, planning to save that for Fabric 2.x. Depends on Fabric 2.x uptake once it's out I guess.
You're right that going back to unpinned "I don't care, paramiko 1 or 2 is ok" is still solvable by letting folks manually downgrade their Paramiko. the pinning was mostly an attempt to head off a flood of "onoz u broke my build" reports. We've gotten some, but not a ton, whether that was due to my pin or not is anybody's guess tho.
@bitprophet FWIW, I have some dataz! Over the past 2 weeks (so this includes a few days before paramiko 2.0 was actually released), here are the most downloaded Paramiko versions from PyPI:
To me this very large number of 2.0 installs indicates that it's probably safe, and so removing the <2 bound is unnecessary, for most people it'll work just fine (or be easily remediated), and for those who can't simply doing a pip install paramiko<2 before pip install fabric will fix it.
pip install paramiko<2
pip install fabric
Would it be possible at least to use an environment marker to tell fabric to use paramiko>2 for PyPy at least, where the current status quo is that fabric won't install anyhow?
@alex belatedly, did you mean "removing the <2 bound is safe"? (instead of "unnecessary") :D
@Julian I assume you mean another few lines of "alter install_requires based on current interpreter"? Not opposed to that offhand. (Though IIRC such hacks stop working with wheels so we're starting to shy away from them...?)
Uhhh, yes, I meant it's safe.
@bitprophet for wheels you do the same thing, just in extras_require with an environment marker.
Basically you rub @dstufft's belly and a genie pops out.
(More serious example: https://github.com/Julian/jsonschema/blob/master/setup.py#L25 but you replace python_version with python_interpreter to dispatch on that instead).
I'll try to put that in a PR so you can see how it looks, unless you're about to make this happen either way?
Oh neat, I only vaguely remember learning about that stuff a while back. Clearly then forgot. I'm definitely down with doing that if it'll help some folks & not harm the majority. A PR would be appreciated.
Re: outer issue, I think at this point I'm down with bumping the pin to <3 in Fabric 1.12+ (alongside the other Crypto purges mentioned earlier, though they'd have to become conditionals unless I wanted to do paramiko>=2,<3, which I am less in favor of. Will see how ugly things get when I poke this and try making sure the same Fabric branch passes tests in two separate venvs, one w/ Crypto and Paramiko 1, the other with no Crypto and Paramiko 2)
Small addition to this discussion:
We use Macports to install the Fabric port which depends on the Paramiko port on our macOS workstations.
But recently Macports decided to upgrade Paramiko from version 1.16.0 to 2.0.1 and when we now run Fabric, it no longer works:
➜ fab deploy
Traceback (most recent call last):
File "/opt/local/bin/fab", line 5, in <module>
from pkg_resources import load_entry_point
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2927, in <module>
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2913, in _call_aside
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2940, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 637, in _build_master
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 650, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pkg_resources/__init__.py", line 829, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'paramiko<2.0,>=1.10' distribution was not found and is required by Fabric
I got around it by downgrading Paramiko to version 1.16.0 using Macports, which was a bit complicated to do manually, but eventually got it working again.
I think this is a mistake from Macports, they should have waited to upgrade Paramiko in their tree until Fabric was compatible.
But anyway, it would be great if a new version of Fabric can be released with support for Paramiko > 2.0 so we can get everything to work again using Macports with the latest versions of all the ports.
Grump, that's annoying - thanks for the news, @hostep. (Not trying to be snarky, but - also surprised MacPorts is still in use, everybody I know switched to Homebrew years ago. Good reminder that "top of mind" != "the only game in town" I guess :))
I popped out a tiny 1.12 on a whim last night (another good reminder to self: stop using literal version numbers when discussing roadmap - just say "an upcoming feature release" or etc) and didn't make this change, but still want to do it soon, so probably the next minor release instead.
FWIW, we (FreeBSD) experienced the same issue and had to create a paramiko1 port and package for py-fabric to depend on. See Also:
TLDR: <= and == dependencies are super painful/annoying and create more problems than they purport to solve.
There is much less pain for downstream users and packagers/porters when upstreams just proactively test against the latest versions of their dependencies (in development, in advance of releases is the best time to do this) and don't prescribe or constraint dependency versioning unless there are versions which explicitly break compatibility.
Even in that case the limitation is only temporary, and only if a release is made while its broken, and only while the dependencies author(s) is/are notified and until fixes are made.
The bonus of this method is it teaches upstreams (and upstreams of upstreams) that the decisions they make actually affect their users in practice (not just in theory), and with this knowledge, hopefully minimises the likelihood of it happening again in future.
To add a bit more info regarding the Macports issue, it seems to be fixed because they added a patch while installing which changes the requirement for Paramiko from <2.0 to <3.0
We now run Fabric v1.12.0 & Paramiko v2.0.2 on our macOS workstations and have no problems with this.
@hostep Thank you for highlighting that
@hostep Indeed there are times where I've overridden *_requires specs (from <=/== to >= or '') in FreeBSD ports, if the test suite has passed with a later version of the dependency. This however relies on the awesome of the tests so can be risky, and though we're a downstream of Fabric, we don't like to break our user (downstream) environments either :)
Early prep for Paramiko 2.0's existence
More numbers updates...last 6 month overview:
and last 2 weeks:
Paramiko 2.0.x now easily half of all downloads. And I'm wondering how much of the other 50% are due to this ticket not being merged :) will find out soon!
Think I'll execute on this and pop it out as Fab 1.13.0.
Revisited what @Julian and I discussed way back but that extras_require magic seems only necessary if I wanted to limit the change to PyPy; at this point I'm just doing the "allow Paramiko <3" bit wholesale...
Paramiko 2.0 should be fine by now yey
Paramiko 3.0 is the one that will actually change behavior/api
Gah, of course I forgot the sibling ticket, #1462! 1.13.1 on the way...EDIT: and, merged/released.