+* add systemd.random_seed= on the kernel cmdline, taking some hex or base64
+ encoded data. During earliest boot, credit it to entropy. This is not useful
+ for general purpose systems, but certainly for testing environments in VMs
+ and such, as it allows us to boot up instantly with fully initialized entropy
+ pool even if RNG pass-thru is not available.
+
+* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
+
+* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
+
+* build short web pages out of each catalog entry, build them along with man
+ pages, and include hyperlinks to them in the journal output
+
+* machined: add API to acquire UID range. add API to mount/dissect loopback
+ file. Both protected by PK. Then make nspawn use these APIs to run
+ unprivileged containers. i.e. push the truly privileged bits into machined,
+ so that the client side can remain entirely unprivileged, with SUID or
+ anything like that.
+