I have feedback from a customer running the current release candidate of
roundup. The password reset routine doesn't work (how it doesn't work
see below). I've been able to reproduce this with the current
release-candidate "classic" tracker template as follows:

- press the "Lost your login?" Link and fill in the username for which
  you want to reset the password, it will mail (or write to the debug
  file) a password-reset link
- Open this reset link in a new window in the browser, it will display a
  message with green background "Password reset and email sent to ..."
- check email or email-file again, this now contains a mail with a new
  password for the given user

Neither the new nor the old password work now for logging into the tracker.

Update: Looks like the password is still the old password for the
test-user. So the new password that is announced via email never makes
it to the database.

I'm running an almost unmodified classic template but with some of the
class-permissions (issue, user, ...) removed from the anonymous user.
I'm using an ancient config.ini that was just updated with the recent
settings but everything was left at the defaults.

Fixed in commit ed6153d3ee6a
The problem was that the password change wasn't committed to the
database. After refactoring and using a separate database connection for
one-time-key (otk) handling and the main database we need to commit to
them separately. There was only a commit for the otk-key but not for the
password change.