use cryptography's sign/verify methods instead of signer/verifier #979
cryptography is planning to deprecate signer/verifier. They will be on an extended deprecation cycle, but it'd be nice to switch paramiko away sooner rather than later.
Note that this will require the minimum version be bumped to 1.5.
I'm always on the fence and very inconsistent about my feelings re: manipulating dependencies in minor versions. Most of the time the intent is to go "if someone was happy with version X of a dep, we shouldn't break that".
Adding new dependencies arguably doesn't break that promise (we're not forcing someone who is, say, somehow limited to that version X of the existing dep, to figure out how to upgrade) but of course, one can easily argue that it does (as there's no guarantee this mythical user's environment has ready access to whatever the new deps are).
Lately I suspect that dragging my feet on this sort of thing is just too conservative and I should err on the side of positive change; then at least wait for somebody to raise a major stink before I reconsider; and chances are good nobody will, because, c'mon now.