OK the first patch is in.
Small change to file479 pbkdf2.patch: We still accept plaintext
passwords (in known_schemes) when parsing encrypted password (e.g. from
database). This way existing databases with plaintext passwords
continue to work (I don't know of any, this would need patching on the
users side) and all regression tests pass.

Does anybody think this is a security issue (I don't, you'll have to be
quite creative to use plaintext storage)?

Concerning the second patch:
- This breaks some of the regression tests, notably import/export
  (only for mysql, and memorydb and not always, seems to be an issue
  with sorting and since the sort order changes it doesn't happen
  everytime), needs further work to make sure we don't try to convert
  the string in the journal to a Password instance.
- It has a small bug for anydbm, we want the obscured value in the
  journal, not in the user instance (!), patch attached.
- after applying the anydbm fix, the regression test for Import/Export
  also fails for memorydb (but interestingly *not* for anydbm).

I'll further look into this when time permits, just documenting
everything here in case someone else wants to contribute.