Topic: Not sure if it counts a bug but...
I was looking through the source and noticed an oversight in pun_hash().
The choice of which hashing algorithm to use isn't fixed, it's done every time the function is called.. what if someone starts off only with md5() support, has a load of users register, and then upgrades their php?
Presumably then all the stored passwords will remain md5'd, but the login attempt will be checking for say sha1, and the users wont be able to login without all requesting new passwords?