#517814 by jmstacey, justinrandell, pwolanin, drewish, Jody Lynn, aaron, dopry, and c960657: Converted File API to stream wrappers, for enhanced private/public file handling, and the ability to reference other storage mechanisms such as s3:// and flicker://.

- Patch #394594 by Berdir: additional conversion to the new database abstraction layer plus clean-up.

- Patch #394594 by ksenzee: converted most of the user module code to the new database abstraction layer.

#330983 by recidive and boombatower: Rename users/users_roles tables to user/user_role for consistency.

#8 by sun and most of #drupal: Users can now cancel their accounts. Fixing the 8th issue, almost 8 years later, on January 8th, after working 8 days full-time on it. GREAT WORK :D

#11077 by mfb, KarenS, macgirvin, and jjkd: Can you say Daylight Savings Time? I bet you didn't think Drupal ever would! :)

- Patch #73874 by pwolanin: normalize the permissions table and wrote simpletests for the (new) permission handling.  At last.

- Patch #245115 by kkaefer, John Morahan, JohnAlbin et al: after a long discussion we've decided to make the concatenation operator consistent with the other operators.

  The access rules capability of user module has been stripped down to a
  simple method for blocking IP addresses. E-mail and username restrictions
  are now available in a contributed module. IP address range blocking is
  no longer supported and should be done at the server level.

  This patch is partly motiviated by the fact that at the usability testing,
  it frequently came up that users went to "access rules" when trying to
  configure their site settings.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

#164532 follow up by pwolanin, David Strauss, catch and myself, testing also by hswong3i: some indexes added before Drupal 6 RC1 were too unique, and our code did not back them, so we should not add those indexes

- Patch #164532 by catch, pwolanin, David Strauss, et al.: improve table indicies for common queries.