Message 162875 - Python tracker

FWIW, Petri's example also explains why leaking the expected length of the string is considered an acceptable optimisation in most reimplementations of this signature check comparison: the attacker is assumed to already know the expected length of the signature, because it's part of a documented protocol or API.

However, I think it's more reasonable for a standard library implementation to omit that optimisation by default.