both runtime and persistent enablement/masking, i.e. it will remove
any relevant symlinks both in /run and /etc.
+ * Note that all long-running system services shipped with elogind will
+ now default to a system call whitelist (rather than a blacklist, as
+ before). In particular, elogind-udevd will now enforce one too. For
+ most cases this should be safe, however downstream distributions
+ which disabled sandboxing of elogind-udevd (specifically the
+ MountFlags= setting), might want to disable this security feature
+ too, as the default whitelisting will prohibit all mount, swap,
+ reboot and clock changing operations from udev rules.
+
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a better
configuration settings to change the resolution explicitly.
* The elogind-resolve tool has been renamed to resolvectl (it also
- * elogind-resolved now supports DNS-over-TLS ("PrivateDNS"). It's still
- turned off by default, use PrivateDNS=opportunistic to turn it on in
+ * elogind-resolved now supports DNS-over-TLS. It's still
+ turned off by default, use DNSOverTLS=opportunistic to turn it on in
resolved.conf. We intend to make this the default as soon as couple
of additional techniques for optimizing the initial latency caused by
establishing a TLS/TCP connection are implemented.
* Units gained a new load state "bad-setting", which is used when a
unit file was loaded, but contained fatal errors which prevent it
- from being started (for example, an ExecStart= path which references
- a non-existent executable).
+ from being started (for example, a service unit has been defined
+ lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order to
support alternative debuggers, for example lldb. The old name