+CHANGES WITH 241 in spe:
+
+ * The default locale can now be configured at compile time. Otherwise,
+ a suitable default will be selected automatically (one of C.UTF-8,
+ en_US.UTF-8, and C).
+
+ * The version string shown by systemd and other tools now includes the
+ git commit hash when built from git. An override may be specified
+ during compilation, which is intended to be used by distributions to
+ include the package release information.
+
+ * systemd-cat can now filter standard input and standard error streams
+ for different syslog priorities using the new --stderr-priority=
+ option.
+
+ * systemd-journald and systemd-journal-remote reject entries which
+ contain too many fields (CVE-2018-16865) and set limits on the
+ process' command line length (CVE-2018-16864).
+
+ * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
+ again.
+
+ * kernel-install script now optionally takes a path to an initrd file,
+ and passes it to all plugins.
+
+ * The mincore() system call has been dropped from the @system-service
+ system call filter group, as it is pretty exotic and may potentially
+ used for side-channel attacks.
+
+ * -fPIE is dropped from compiler and linker options. Please specify
+ -Db_pie=true option to meson to build position-independent
+ executables. Note that the meson option is supported since meson-0.49.
+
+ * The fs.protected_regular and fs.protected_fifos sysctls, which were
+ added in Linux 4.19 to make some data spoofing attacks harder, are
+ now enabled by default. While this will hopefully improve the
+ security of most installations, it is technically a backwards
+ incompatible change; to disable these sysctls again, place the
+ following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+ fs.protected_regular = 0
+ fs.protected_fifos = 0
+
+ Note that the similar hardlink and symlink protection has been
+ enabled since v199, and may be disabled likewise.
+
+CHANGES WITH 240:
+
+ * NoNewPrivileges=yes has been set for all long-running services
+ implemented by systemd. Previously, this was problematic due to
+ SELinux (as this would also prohibit the transition from PID1's label
+ to the service's label). This restriction has since been lifted, but
+ an SELinux policy update is required.
+ (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)
+
+ * DynamicUser=yes is dropped from systemd-networkd.service,
+ systemd-resolved.service and systemd-timesyncd.service, which was
+ enabled in v239 for systemd-networkd.service and systemd-resolved.service,
+ and since v236 for systemd-timesyncd.service. The users and groups
+ systemd-network, systemd-resolve and systemd-timesync are created
+ by systemd-sysusers again. Distributors or system administrators
+ may need to create these users and groups if they not exist (or need
+ to re-enable DynamicUser= for those units) while upgrading systemd.
+ Also, the clock file for systemd-timesyncd may need to move from
+ /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock.
+
+ * When unit files are loaded from disk, previously systemd would
+ sometimes (depending on the unit loading order) load units from the
+ target path of symlinks in .wants/ or .requires/ directories of other
+ units. This meant that unit could be loaded from different paths
+ depending on whether the unit was requested explicitly or as a
+ dependency of another unit, not honouring the priority of directories
+ in search path. It also meant that it was possible to successfully
+ load and start units which are not found in the unit search path, as
+ long as they were requested as a dependency and linked to from
+ .wants/ or .requires/. The target paths of those symlinks are not
+ used for loading units anymore and the unit file must be found in
+ the search path.