[pull] main from python:main

Doc/Makefile

@@ -170,6 +170,7 @@ venv:
 		echo "venv already exists."; \
 		echo "To recreate it, remove it first with \`make clean-venv'."; \
 	else \
+		set -e; \
 		echo "Creating venv in $(VENVDIR)"; \
 		if $(UV) --version >/dev/null 2>&1; then \
 			$(UV) venv --python=$(PYTHON) $(VENVDIR); \

Doc/library/gc.rst

@@ -60,7 +60,7 @@ The :mod:`gc` module provides the following functions:
    The effect of calling ``gc.collect()`` while the interpreter is already
    performing a collection is undefined.
 
-   .. versionchanged:: 3.13
+   .. versionchanged:: 3.14
       ``generation=1`` performs an increment of collection.
 
 
@@ -83,13 +83,13 @@ The :mod:`gc` module provides the following functions:
    returned. If *generation* is not ``None``, return only the objects as follows:
 
    * 0: All objects in the young generation
-   * 1: No objects, as there is no generation 1 (as of Python 3.13)
+   * 1: No objects, as there is no generation 1 (as of Python 3.14)
    * 2: All objects in the old generation
 
    .. versionchanged:: 3.8
       New *generation* parameter.
 
-   .. versionchanged:: 3.13
+   .. versionchanged:: 3.14
       Generation 1 is removed
 
    .. audit-event:: gc.get_objects generation gc.get_objects
@@ -142,7 +142,7 @@ The :mod:`gc` module provides the following functions:
 
    See `Garbage collector design <https://devguide.python.org/garbage_collector>`_ for more information.
 
-   .. versionchanged:: 3.13
+   .. versionchanged:: 3.14
       *threshold2* is ignored
 
 

Doc/library/http.client.rst

@@ -34,7 +34,7 @@ The module provides the following classes:
 
 
 .. class:: HTTPConnection(host, port=None[, timeout], source_address=None, \
-                          blocksize=8192)
+                          blocksize=8192, max_response_headers=None)
 
    An :class:`HTTPConnection` instance represents one transaction with an HTTP
    server.  It should be instantiated by passing it a host and optional port
@@ -46,7 +46,9 @@ The module provides the following classes:
    The optional *source_address* parameter may be a tuple of a (host, port)
    to use as the source address the HTTP connection is made from.
    The optional *blocksize* parameter sets the buffer size in bytes for
-   sending a file-like message body.
+   sending a file-like message body. The optional *max_response_headers*
+   parameter sets the maximum number of allowed response headers to help
+   prevent denial-of-service attacks, otherwise the default value (100) is used.
 
    For example, the following calls all create instances that connect to the server
    at the same host and port::
@@ -66,10 +68,13 @@ The module provides the following classes:
    .. versionchanged:: 3.7
       *blocksize* parameter was added.
 
+   .. versionchanged:: next
+      *max_response_headers* parameter was added.
+
 
 .. class:: HTTPSConnection(host, port=None, *[, timeout], \
                            source_address=None, context=None, \
-                           blocksize=8192)
+                           blocksize=8192, max_response_headers=None)
 
    A subclass of :class:`HTTPConnection` that uses SSL for communication with
    secure servers.  Default port is ``443``.  If *context* is specified, it
@@ -109,6 +114,9 @@ The module provides the following classes:
       The deprecated *key_file*, *cert_file* and *check_hostname* parameters
       have been removed.
 
+   .. versionchanged:: next
+      *max_response_headers* parameter was added.
+
 
 .. class:: HTTPResponse(sock, debuglevel=0, method=None, url=None)
 
@@ -416,6 +424,14 @@ HTTPConnection Objects
    .. versionadded:: 3.7
 
 
+.. attribute:: HTTPConnection.max_response_headers
+
+   The maximum number of allowed response headers to help prevent denial-of-service
+   attacks. By default, the maximum number of allowed headers is set to 100.
+
+   .. versionadded:: next
+
+
 As an alternative to using the :meth:`~HTTPConnection.request` method described above, you can
 also send your request step by step, by using the four functions below.
 

Doc/library/tarfile.rst

@@ -1353,6 +1353,9 @@ Command-line options
 Examples
 --------
 
+Reading examples
+~~~~~~~~~~~~~~~~~~~
+
 How to extract an entire tar archive to the current working directory::
 
    import tarfile
@@ -1375,6 +1378,23 @@ a generator function instead of a list::
    tar.extractall(members=py_files(tar))
    tar.close()
 
+How to read a gzip compressed tar archive and display some member information::
+
+   import tarfile
+   tar = tarfile.open("sample.tar.gz", "r:gz")
+   for tarinfo in tar:
+       print(tarinfo.name, "is", tarinfo.size, "bytes in size and is ", end="")
+       if tarinfo.isreg():
+           print("a regular file.")
+       elif tarinfo.isdir():
+           print("a directory.")
+       else:
+           print("something else.")
+   tar.close()
+
+Writing examples
+~~~~~~~~~~~~~~~~
+
 How to create an uncompressed tar archive from a list of filenames::
 
    import tarfile
@@ -1390,19 +1410,15 @@ The same example using the :keyword:`with` statement::
         for name in ["foo", "bar", "quux"]:
             tar.add(name)
 
-How to read a gzip compressed tar archive and display some member information::
+How to create and write an archive to stdout using
+:data:`sys.stdout.buffer <sys.stdout>` in the *fileobj* parameter
+in :meth:`TarFile.add`::
 
-   import tarfile
-   tar = tarfile.open("sample.tar.gz", "r:gz")
-   for tarinfo in tar:
-       print(tarinfo.name, "is", tarinfo.size, "bytes in size and is ", end="")
-       if tarinfo.isreg():
-           print("a regular file.")
-       elif tarinfo.isdir():
-           print("a directory.")
-       else:
-           print("something else.")
-   tar.close()
+    import sys
+    import tarfile
+    with tarfile.open("sample.tar.gz", "w|gz", fileobj=sys.stdout.buffer) as tar:
+        for name in ["foo", "bar", "quux"]:
+            tar.add(name)
 
 How to create an archive and reset the user information using the *filter*
 parameter in :meth:`TarFile.add`::

Doc/whatsnew/3.14.rst

@@ -1058,6 +1058,30 @@ free-threaded build and false for the GIL-enabled build.
 
 (Contributed by Neil Schemenauer and Kumar Aditya in :gh:`130010`.)
 
+.. _whatsnew314-incremental-gc:
+
+Incremental garbage collection
+------------------------------
+
+The cycle garbage collector is now incremental.
+This means that maximum pause times are reduced
+by an order of magnitude or more for larger heaps.
+
+There are now only two generations: young and old.
+When :func:`gc.collect` is not called directly, the
+GC is invoked a little less frequently. When invoked, it
+collects the young generation and an increment of the
+old generation, instead of collecting one or more generations.
+
+The behavior of :func:`!gc.collect` changes slightly:
+
+* ``gc.collect(1)``: Performs an increment of garbage collection,
+  rather than collecting generation 1.
+* Other calls to :func:`!gc.collect` are unchanged.
+
+(Contributed by Mark Shannon in :gh:`108362`.)
+
+
 Other language changes
 ======================
 
@@ -1486,6 +1510,36 @@ functools
   (Contributed by Sayandip Dutta in :gh:`125916`.)
 
 
+gc
+--
+
+The cyclic garbage collector is now incremental,
+which changes the meaning of the results of
+:meth:`~gc.get_threshold` and :meth:`~gc.set_threshold`
+as well as :meth:`~gc.get_count` and :meth:`~gc.get_stats`.
+
+* For backwards compatibility, :meth:`~gc.get_threshold` continues to return
+  a three-item tuple.
+  The first value is the threshold for young collections, as before;
+  the second value determines the rate at which the old collection is scanned
+  (the default is 10, and higher values mean that the old collection
+  is scanned more slowly).
+  The third value is meaningless and is always zero.
+
+* :meth:`~gc.set_threshold` ignores any items after the second.
+
+* :meth:`~gc.get_count` and :meth:`~gc.get_stats` continue to return
+  the same format of results.
+  The only difference is that instead of the results referring to
+  the young, aging and old generations,
+  the results refer to the young generation
+  and the aging and collecting spaces of the old generation.
+
+In summary, code that attempted to manipulate the behavior of the cycle GC
+may not work exactly as intended, but it is very unlikely to be harmful.
+All other code will work just fine.
+
+
 getopt
 ------
 
@@ -2233,6 +2287,7 @@ asyncio
   (Contributed by Yury Selivanov, Pablo Galindo Salgado, and Łukasz Langa
   in :gh:`91048`.)
 
+
 base64
 ------
 
@@ -2241,6 +2296,15 @@ base64
   (Contributed by Bénédikt Tran, Chris Markiewicz, and Adam Turner in :gh:`118761`.)
 
 
+gc
+--
+
+* The new :ref:`incremental garbage collector <whatsnew314-incremental-gc>`
+  means that maximum pause times are reduced
+  by an order of magnitude or more for larger heaps.
+  (Contributed by Mark Shannon in :gh:`108362`.)
+
+
 io
 ---
 * :mod:`io` which provides the built-in :func:`open` makes less system calls
@@ -2707,6 +2771,13 @@ Changes in the Python API
   Wrap it in :func:`staticmethod` if you want to preserve the old behavior.
   (Contributed by Serhiy Storchaka and Dominykas Grigonis in :gh:`121027`.)
 
+* The :ref:`garbage collector is now incremental <whatsnew314-incremental-gc>`,
+  which means that the behavior of :func:`gc.collect` changes slightly:
+
+  * ``gc.collect(1)``: Performs an increment of garbage collection,
+    rather than collecting generation 1.
+  * Other calls to :func:`!gc.collect` are unchanged.
+
 * The :func:`locale.nl_langinfo` function now sets temporarily the ``LC_CTYPE``
   locale in some cases.
   This temporary change affects other threads.

Doc/whatsnew/3.15.rst

@@ -230,6 +230,16 @@ difflib
   (Contributed by Jiahao Li in :gh:`134580`.)
 
 
+http.client
+-----------
+
+* A new *max_response_headers* keyword-only parameter has been added to
+  :class:`~http.client.HTTPConnection` and :class:`~http.client.HTTPSConnection`
+  constructors. This parameter overrides the default maximum number of allowed
+  response headers.
+  (Contributed by Alexander Enrique Urieles Nieto in :gh:`131724`.)
+
+
 math
 ----
 

Lib/hashlib.py

@@ -136,12 +136,22 @@ def __get_openssl_constructor(name):
         # Prefer our builtin blake2 implementation.
         return __get_builtin_constructor(name)
     try:
-        # MD5, SHA1, and SHA2 are in all supported OpenSSL versions
-        # SHA3/shake are available in OpenSSL 1.1.1+
+        # Fetch the OpenSSL hash function if it exists,
+        # independently of the context security policy.
         f = getattr(_hashlib, 'openssl_' + name)
-        # Allow the C module to raise ValueError.  The function will be
-        # defined but the hash not actually available.  Don't fall back to
-        # builtin if the current security policy blocks a digest, bpo#40695.
+        # Check if the context security policy blocks the digest or not
+        # by allowing the C module to raise a ValueError. The function
+        # will be defined but the hash will not be available at runtime.
+        #
+        # We use "usedforsecurity=False" to prevent falling back to the
+        # built-in function in case the security policy does not allow it.
+        #
+        # Note that this only affects the explicit named constructors,
+        # and not the algorithms exposed through hashlib.new() which
+        # can still be resolved to a built-in function even if the
+        # current security policy does not allow it.
+        #
+        # See https://github.com/python/cpython/issues/84872.
         f(usedforsecurity=False)
         # Use the C function directly (very fast)
         return f