X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=78c44db4a6810c86c7c69c0a39a75fbcb0e00825;hb=05dc2132e047380eecc50ff3f1ed742722cc6a1e;hp=568a31a87d7d07c72f4829d1bdee83ea81698e67;hpb=2eb466fc106b992f1cc9d9d24173cebba4eaf74b;p=thirdparty%2Fsystemd.git

diff --git a/NEWS b/NEWS
index 568a31a87d7..78c44db4a68 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,35 @@
 systemd System and Service Manager
 
-CHANGES WITH 242 in spe:
+CHANGES WITH 243 in spe:
+
+        * The "kernel.pid_max" sysctl is now bumped to 4194304 by default,
+          i.e. the full 22bit range the kernel allows, up from the old 16bit
+          range. This should improve security and robustness a bit, as PID
+          collisions are made less likely (though certainly still
+          possible). There are rumours this might create compatibility
+          problems, though at this moment no practical ones are known to
+          us. Downstream distributions are hence advised to undo this change in
+          their builds if they are concerned about maximum compatibility, but
+          for everybody else we recommend leaving the value bumped. Besides
+          improving security and robustness this should also simplify things as
+          the maximum number of allowed concurrent tasks was previously bounded
+          by both "kernel.pid_max" and "kernel.threads-max" and now only a
+          single knob is left ("kernel.threads-max"). There have been concerns
+          that usability is affected by this change because larger PID numbers
+          are harder to type, but we believe the change from 5 digit PIDs to 7
+          digit PIDs is not too hampering for usability.
+
+        * MemoryLow and MemoryMin gained hierarchy-aware counterparts,
+          DefaultMemoryLow and DefaultMemoryMin, which can be used to
+          hierarchically set default memory protection values for a particular
+          subtree of the unit hierarchy.
+
+        * Memory protection directives can now take a value of zero, allowing
+          explicit opting out of a default value propagated by an ancestor.
+
+          …
+
+CHANGES WITH 242:
 
         * In .link files, MACAddressPolicy=persistent (the default) is changed
           to cover more devices. For devices like bridges, tun, tap, bond, and
@@ -69,12 +98,18 @@ CHANGES WITH 242 in spe:
         * Two new conditions for units have been added: ConditionMemory= may be
           used to conditionalize a unit based on installed system
           RAM. ConditionCPUs= may be used to conditionalize a unit based on
-          install CPU cores.
+          installed CPU cores.
 
         * The @default system call filter group understood by SystemCallFilter=
           has been updated to include the new rseq() system call introduced in
           kernel 4.15.
 
+        * A new time-set.target has been added that indicates that the system
+          time has been set from a local source (possibly imprecise). The
+          existing time-sync.target is stronger and indicates that the time has
+          been synchronized with a precise external source. Services where
+          approximate time is sufficient should use the new target.
+
         * "systemctl start" (and related commands) learnt a new
           --show-transaction option. If specified brief information about all
           jobs queued because of the requested operation is shown.
@@ -110,8 +145,8 @@ CHANGES WITH 242 in spe:
         * The new TripleSampling= option in .network files may be used to
           configure CAN triple sampling.
 
-        * A new .netdev setting PrivateKeyFile= may be used to point to private
-          key for a WireGuard interface.
+        * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
+          used to point to private or preshared key for a WireGuard interface.
 
         * /etc/crypttab now supports the same-cpu-crypt and
           submit-from-crypt-cpus options to tweak encryption work scheduling
@@ -215,8 +250,9 @@ CHANGES WITH 242 in spe:
           a different layout of the bootloader partitions (for example grub2).
 
         * During package installation (with `ninja install`), we would create
-          symlinks for systemd-networkd.service, systemd-networkd.socket,
-          systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
+          symlinks for getty@tty1.service, systemd-networkd.service,
+          systemd-networkd.socket, systemd-resolved.service,
+          remote-cryptsetup.target, remote-fs.target,
           systemd-networkd-wait-online.service, and systemd-timesyncd.service
           in /etc, as if `systemctl enable` was called for those units, to make
           the system usable immediately after installation. Now this is not
@@ -243,17 +279,19 @@ CHANGES WITH 242 in spe:
         Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
         Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
         Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
-        Pyo, Jan Engelhardt, Jonathan Lebon, Jonathon Kowalski, Jörg Sommer,
-        Jörg Thalheim, Kai-Heng Feng, Lennart Poettering, Lubomir Rintel,
-        Martin Pitt, Matthias Klumpp, Michael Biebl, Michael Niewöhner, Michael
-        Olbrich, Michal Sekletar, Mike Lothian, Piotr Drąg, Riccardo Schirone,
+        Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
+        Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
+        Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
+        Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
+        Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
         Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
-        Gonzalez, Stephane Chazelas, StKob, Susant Sahani, Sylvain Plantefève,
-        Szabolcs Fruhwald, Taro Yamada, Theo Ouzhinski, Thomas Haller, Tobias
-        Jungel, Tom Yan, Tony Asleson, Topi Miettinen, unixsysadmin, Van Laser,
-        Vesa Jääskeläinen, Yu, Li-Yu, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+        Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
+        Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
+        Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
+        Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
+        Yu Watanabe, Zbigniew Jędrzejewski-Szmek
 
-        — Somewhere, 2019-0X-YZ
+        — Warsaw, 2019-04-11
 
 CHANGES WITH 241:
 
@@ -723,7 +761,7 @@ CHANGES WITH 240:
         * Journal messages that are generated whenever a unit enters the failed
           state are now tagged with a unique MESSAGE_ID. Similarly, messages
           generated whenever a service process exits are now made recognizable,
-          too. A taged message is also emitted whenever a unit enters the
+          too. A tagged message is also emitted whenever a unit enters the
           "dead" state on success.
 
         * systemd-run gained a new switch --working-directory= for configuring
@@ -965,7 +1003,7 @@ CHANGES WITH 239:
           not created by systemd-sysusers anymore.
 
           NOTE: This has a chance of breaking nss-ldap and similar NSS modules
-          that embedd a network facing module into any process using getpwuid()
+          that embed a network facing module into any process using getpwuid()
           or related call: the dynamic allocation of the user ID for
           systemd-resolved.service means the service manager has to check NSS
           if the user name is already taken when forking off the service. Since
@@ -1234,7 +1272,7 @@ CHANGES WITH 239:
           PrivateDevices=, ProtectSystem=, …) are used. This option is hence
           primarily useful for services that do not use any of the other file
           system namespacing options. One such service is systemd-udevd.service
-          wher this is now used by default.
+          where this is now used by default.
 
         * ConditionSecurity= gained a new value "uefi-secureboot" that is true
           when the system is booted in UEFI "secure mode".
@@ -2217,7 +2255,7 @@ CHANGES WITH 234:
           /etc/machine-id. If the machine ID could not be determined,
           $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
           anything in the entry directory (passed as the second argument) if
-          $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatiblity, a
+          $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
           temporary directory is passed as the entry directory and removed
           after all the plugins exit.
 
@@ -5945,7 +5983,7 @@ CHANGES WITH 214:
         * We temporarily dropped the "-l" switch for fsck invocations,
           since they collide with the flock() logic above. util-linux
           upstream has been changed already to avoid this conflict,
-          and we will readd "-l" as soon as util-linux with this
+          and we will re-add "-l" as soon as util-linux with this
           change has been released.
 
         * The dependency on libattr has been removed. Since a long
@@ -6231,7 +6269,7 @@ CHANGES WITH 213:
           where the local administrator's configuration in /etc always
           overrides any other settings.
 
-        Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+        Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
         den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
         Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
         David Strauss, Dimitris Spingos, Djalal Harouni, Eelco