- Patch #245115 by kkaefer, John Morahan, JohnAlbin et al: after a long discussion we've decided to make the concatenation operator consistent with the other operators.

- Patch #216072 by recidive, David Rothstein, ptalindstrom et al: switched from numeric block IDs to string IDs.

  The short explanation is that Drupal uses a lot of numeric deltas in the block system; blocks are identified by the 'module' and the 'delta'. In early Drupal, delta was numeric, but somewhere along the line it was changed to be possibly a string. In modern Drupal, block overrides are easily done via block-MODULE-DELTA.tpl.php.  The primary motivation to switch to string IDs everywhere is to make these deltas friendlier to themers:

    block-user-0.tpl.php --> block-user-navigation.tpl.php
    block-user-1.tpl.php --> block-user-login.tpl.php

  You get the picture.

- Patch #189568 by dvessel: don't include a CSS file in the aggregated CSS output when that file is overwritten by a theme-specific CSS file.

- Patch #195072 by webchick and coltrane: make _comment_load() a public API function by renaming it to comment_load().

- Patch #244597 by drumm: remove login form text as this can now be accomplished using hook form_alter.

  The access rules capability of user module has been stripped down to a
  simple method for blocking IP addresses. E-mail and username restrictions
  are now available in a contributed module. IP address range blocking is
  no longer supported and should be done at the server level.

  This patch is partly motiviated by the fact that at the usability testing,
  it frequently came up that users went to "access rules" when trying to
  configure their site settings.

- Patch #240387 by matt2000 et al: move 'content types' to 'site building' per the UMN usability study results.

- Patch #234785 by Rowanw, yoroy, flobruit, et al: usability: improve visibility of the 'more help' link by adding an icon.

- Patch #218403 by Gabor, catch, Arancaytar, keith, doug, et al: duplicate entry errors in search idexer due to collation issues.

- Patch #241629 by solotandem: the cron.php query left an extra row in the watchdog table due to a off-by-one error.

- Patch #241021 by keith.smith: we forgot to remove a reference to the 'story' node type.  It was renamed to 'article'.

- Patch #238528 by misamuelson, approved by Stefan: disabled menu items should not be opaque for usability.

- Oops, I forgot to add this file to CVS when I committed the secure password hashing patch last night.  Mea culpa.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

- Patch #239958 by Steve Dondley: make the explicit cache clearing functionality reload the theme's .info file.  (We're back from a vacation in the French Alpes, BTW!  Time to catch up with patches.)

- Patch #235821 by kbahey and pwolanin: include upgrade path for cron changes, improved security of key.

- Patch #232037 by pwolanin and flobruit: block_list() renders all blocks even on 404.  Refactored the code a bit so ithere is a split between loading and rendering of blocks.  By doing so, we are no longer forced to render _all_ blocks if we know they won't be shown.  There is more room for improvement here, I believe, but this is an incremental improvement.

- Patch #234403 by alienbrain: drupal_mail_send() should use CRLFs instead of LFs in e-mail headers.