This is a feature and bugfix release.

• Implemented full locking on per-user transfer 'database' to address potential races if user saves multiple times in short time
• Implemented auto_add_user_permit to limit which users may sign up through autocreate without operator interaction.
• Finished CA server integration for user authentication with certificates from a stand-alone CA certificate service
• Fix a regression in configuration init which disabled auth.log handling (only reached git, not releases)
• Fix a regression in edituser with the unique id symlinks not being properly removed for re-linking the X509 ID
• Fix to actually use auto_add_oidc_user configuration for OpenID Connect sign up attempts
• Fix a GDP encoding issue with exotic characters
• Fix a minor issue to support recent openssl output format in ftps/webdavs certificate fingerprint extraction
• Secure-by-default updates to reduce the set of enabled services unless explicitly requested
• Renamed mig.shared.html module to mig.shared.htmlgen to prevent clashes with built-in on python-3.2+
• Initial experimental quota integration when using a recent Lustre based storage underneath
• Added compat module to assist in remaining migration to python3
• Adjusted config generator for improved flexibility regarding options and user account running it.
• Improved portability of timezone detection in config generator
• Updated and polished FAQ entries
• Improved unit test coverage

Note: the Stable-YYYYMMDD release series specifically refers to the master branch, which is strictly in lock-step with the old SourceForge repo and being phased out. The matching Main-YYYYMMDD and Next-YYYYMMDD releases refer to the corresponding edge and experimental branches used in production - despite the somewhat misleading branch names. Thus, we recommend using Main for python2 and Next for python3 deployments.