Many thanks.  I will try porting them and see what works.

So, I can keep the SHA1 passwords already in the system, imported the MD5s and they'll work?

I have an entire database of olders from a local website that I'd like to convert for use with my PunBB installation.

The old DB pwds are all in MD5, but my install of PunBB is SHA1.

Where would I change this setting so I can reuse the old passwords and not have to require all these old users to register again?

So, pretty much, PunBB is built around a plugin framework.  No orphaned code, no functions you never use but can't disable.  If something's running, it's my fault for adding it.

My main concerns are:

1. What is the ease of dealing with spam in this system?

2. What is the history of "oh, brother" type vulnerabilites?  I mention this particularly because I'm fed up with PhpBB and will never use it again, as the BS level is intolerable.

3. Are there any really bad quirks compared to other systems that I might be missing?

As I've scanned through various FOSS options for a BB, this is one of the few that gives me some hope.  Jump in here and close the sale.