Update to 2.9.0
    
    - New upstream release 2.9.0
      - Add support for SHA-2 variants of RSA key verification algorithms (as
        described in RFC 8332) as well as limited SSH extension negotiation (RFC
        8308) (GH#1326, GH#1643, GH#1644, GH#1925)
        How SSH servers/clients decide when and how to use this functionality can be
        complicated; Paramiko's support is as follows:
        - Client verification of server host key during key exchange will now prefer
          rsa-sha2-512, rsa-sha2-256, and legacy ssh-rsa algorithms, in that order,
          instead of just ssh-rsa
        - Note that the preference order of other algorithm families such as
          ed25519 and ecdsa has not changed; for example, those two groups are still
          preferred over RSA
        - Server mode will now offer all 3 RSA algorithms for host key verification
          during key exchange, similar to client mode, if it has been configured
          with an RSA host key
        - Client mode key exchange now sends the ext-info-c flag signaling support
          for MSG_EXT_INFO, and support for parsing the latter (specifically, its
          server-sig-algs flag) has been added
        - Client mode, when performing public key authentication with an RSA key or
          cert, will act as follows:
          - In all cases, the list of algorithms to consider is based on the new
            preferred_pubkeys list and disabled_algorithms; this list, like with
            host keys, prefers SHA2-512, SHA2-256 and SHA1, in that order
          - When the server does not send server-sig-algs, Paramiko will attempt
            the first algorithm in the above list; clients connecting to legacy
            servers should thus use disabled_algorithms to turn off SHA2
          - When the server does send server-sig-algs, the first algorithm
            supported by both ends is used, or if there is none, it falls back to
            the previous behavior
        - SSH agent support grew the ability to specify algorithm flags when
          requesting private key signatures; this is now used to forward SHA2
          algorithms when appropriate
        - Server mode is now capable of pubkey auth involving SHA-2 signatures from
          clients, provided one's server implementation actually provides for doing
          so; this includes basic support for sending MSG_EXT_INFO (containing
          server-sig-algs only) to clients advertising ext-info-c in their key
          exchange list
        In order to implement the above, the following API additions were made:
        - 'PKey.sign_ssh_data <paramiko.pkey.PKey>': Grew an extra, optional
          'algorithm' keyword argument (defaulting to 'None' for most subclasses,
          and to "ssh-rsa" for '~paramiko.rsakey.RSAKey')
        - A new '~paramiko.ssh_exception.SSHException' subclass was added,
          '~paramiko.ssh_exception.IncompatiblePeer', and is raised in all spots
          where key exchange aborts due to algorithmic incompatibility; like all
          other exceptions in that module, it inherits from 'SSHException', and as
          nothing else was changed about the raising (i.e. the attributes and
          message text are the same) this change is backwards compatible
        - '~paramiko.transport.Transport' grew a '_preferred_pubkeys' attribute and
          matching 'preferred_pubkeys' property to match the other, kex-focused,
          such members; this allows client pubkey authentication to honor the
          'disabled_algorithms' feature