Unfortunately, distributing crypto software is still a hideous international mess (just because the *US* is less silly these days...).
Things have been liberalizing rapidly. I'm not sure how true that is anymore, though I don't have direct experience (aside from offering some crypto software on a website; people download it from all over the place, but maybe they're scofflaws, who knows).
I know US export is no problem. According to [1], most countries have no laws restricting imports, with the notable exception of ex-USSR countries and China, which require licenses. I've heard anecdotally the Russian requirements are mostly ignored [2]. I don't know about China.
More anecdotal evidence: The windows python installer includes strong crypto (SSL). Has that caused problems?
Agreed. Python already includes crypto and US export is nothing more than a harmless "let US Dept of Whateveritscalledtoday know that X has crypto in it." the bsddb module includes encrypted database support in it (unless the windows packager has been building the non crypto version of the library distributed by sleepycat; i haven't checked). The point about SSL being included is interesting. The OpenSSL library provides implementations of all of the important hash algorithms (and uses them in order to implement ssl!). Its hashing code is much better optimized on various architectures than the python module ever will be. I just filed feature request 983069 to keep this on the radar.
There's protocols that can use SHA-256, like SSH, S/MIME, or PGP, but these all require other crypto primitives, so your point stands. And I agree: crypto primitives should probably be considered as a lump. If ciphers are absolutely not going to get in, putting in other crypto stuff is not that helpful..
To waffle on my earlier question of "what uses sha256 w/o also needing crypto?"... One reason I can see for adding sha-256 and sha-512 (and 224/384 wrappers) to standard python is that they will potentially be used in future distributed data storage and p2p protocols for large data set integrity checking. -g