(cherry picked from commit da67e0d6)

Signed-off-by: Christian Heimes <christian@python.org>

[2.7] bpo-31471: Fix assertion failure in subprocess.Popen() on Windows, in case env has a bad keys() method. (GH-3580) (#3595)

This no-op change makes 2.7 more consistent with 3.x to ease comparison and backports.

(cherry picked from commit 1de4705d)

fork_wait.py tests now joins threads, to not leak running threads in
the background.

(cherry picked from commit c99d41f9)

(cherry picked from commit 71fe8c00)

[2.7] bpo-31411: Prevent raising a SystemError in case warnings.onceregistry is not a dictionary. (GH-3485). (#3493)

(cherry picked from commit 252033d5)

(cherry picked from commit 2e6bb448)

ttk.OptionMenu radiobuttons weren't unique 
between instances of OptionMenu.
(cherry picked from commit a568e527)

Patch by Paul.j3.  Includes an unrelated but useful addition to the
optparse porting section.
(cherry picked from commit 0c7983e4)

* bpo-29136: Add TLS 1.3 support

TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
AES-GCM and ChaCha20 suites.

Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
now.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit cb5b68ab)

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 17c9ac92)

Also provide a solution if the user wants to keep multiple blank lines.
(cherry picked from commit 397c467c)

See also 1f29cefc.  The configure.ac change was omitted from the earlier change...

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit d3b9f97e)

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit ad0ffa03)

(cherry picked from commit 8204b903)

This also eliminats a dead link to Weave in the process..
(cherry picked from commit 78ffd6cf)

Fix copying of partial characters for UTF-8 input (libexpat bug 115):
https://github.com/libexpat/libexpat/issues/115

(cherry picked from commit 759e30ec)

The standard header stdbool.h is not available
with old Visual Studio compilers

Cherry-picked from libexpat b4b89c2ab0cc5325a41360c25ef9d2ccbe617e5c.

expat: Add artificial scopes in xmltok.c utf8_toUtf8() to fix c89 compilation.

Cherry-picked from libexpat commit e0b290eb3d8f4c4b45137a7d7f4f8db812145bd2

(cherry picked from commit f801322e)

* bpo-31339: Rewrite time.asctime() and time.ctime()

Backport and adapt the _asctime() function from the master branch to
not depend on the implementation of asctime() and ctime() from the
external C library. This change fixes a bug when Python is run using
the musl C library.

* bound checks for time.asctime()

* bound checks for time.strftime()

Really this time!

* bpo-27448: Work around a gc.disable race condition in subprocess.

This works around a gc.isenabled/gc.disable race condition in the 2.7
subprocess module by using a lock for the critical section.  It'll
prevent multiple simultaneous subprocess launches from winding up with
gc remaining disabled but it can't fix the ultimate problem: gc enable
and disable is a global setting and a hack.

Users are *strongly encouraged* to use subprocess32 from PyPI instead
of the 2.7 standard library subprocess module.  Mixing threads with
subprocess is a recipie for disaster otherwise even with "fixes" to
ameliorate common issues like this.

* Add a blurb!

(cherry picked from commit 8adc73c2)

(cherry picked from commit e503ca52)

The ssl and hashlib modules now call OPENSSL_add_all_algorithms_noconf() on
OpenSSL < 1.1.0. The function detects CPU features and enables optimizations
on some CPU architectures such as POWER8. Patch is based on research from
Gustavo Serra Scalet.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit c941e623)

Include sys/sysmacros.h for major(), minor(), and makedev(). GNU C libray
plans to remove the functions from sys/types.h.

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 75b96186)

* Change NPN detection:

Version breakdown, support disabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
False/False
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will be defined -> True/False

Version breakdown support enabled (pre-patch/post-patch):
- pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
- 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
- 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True

* Refine NPN guard:

- If NPN is disabled, but ALPN is available we need our callback
- Make clinic's ssl behave the same way

This created a working ssl module for me, with NPN disabled and ALPN
enabled for OpenSSL 1.1.0f.

Concerns to address:
The initial commit for NPN support into OpenSSL [1], had the
OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
guard. The question is if that ever made it into a release.
This would need an ugly hack, something like:

	GH-if defined(OPENSSL_NO_NEXTPROTONEG) && \
		!defined(OPENSSL_NPN_NEGOTIATED)
	GH-	define OPENSSL_NPN_UNSUPPORTED 0
	GH-	define OPENSSL_NPN_NEGOTIATED 1
	GH-	define OPENSSL_NPN_NO_OVERLAP 2
	GH-endif

[1] https://github.com/openssl/openssl/commit/68b33cc5c7.
(cherry picked from commit b2d096bd)

The Windows build now depends on Python 3.6 to fetch externals, but it
will be downloaded via NuGet (which is downloaded via PowerShell) if it
is not available via `py -3.6`.  This means the only thing that must be
installed on a modern Windows box to do a full build of CPython with all
extensions is Visual Studio.

Cherry-picked from 51599e2b, parts of 40a23e88, parts of 68d663cf, d5cd21d7, and possibly others that I've missed.

Also:

* Rename db -> bsddb for disambiguity

* Update sqlite3 to 3.14.2.0 since it's the version we use on 3.x, and it's simpler to just use it than to also upload the old version to cpython-source-deps

* Add PCbuild/*.ilk to .gitignore

* bpo-25674: remove sha256.tbs-internet.com ssl test (#3297)
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 002d6403)

* [2.7] bpo-25674: remove sha256.tbs-internet.com ssl test (GH-3297)

Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 002d6403)

(cherry picked from commit a6296d34)