After posting the recent patch for reminding users of their passwords I've been looking over the code a bit more.
Generally I'm quite impressed by it, but I can't help thinking that the account creation for the site is wrong somehow.
- Email addresses are never validated.
- Plaintext passwords are stored in the database.
These aren't huge concerns, but it's still troubling to see a prominent site using non-validated logins.
In other news I've submitted an "intent to package" bug against Debian to package the code behind this site, and add it to Debian.
Basic packages are available now, but the require testing and hammering before I upload..