start updating NEWS for 254

NEWS

@@ -24,6 +24,168 @@ CHANGES WITH 254 in spe:
           permit more impactful operations such as system suspend to local
           users.
 
+       * The sd-journal API learnt a new call sd_journal_get_seqnum() for
+         retrieving the current log record's sequence number and sequence
+         number ID, which allows applications to order records the same way as
+         journal does internally already. The sequence number is now alos
+         exported in the JSON and "export" output of the journal.
+
+       * The default keymap to apply may now be chosen at build-time via the
+         new default-keymap meson option.
+
+       * "Startup" memory settings are now supported. Previously IO and CPU
+         settings were already supported via StartupCPUWeight= and similar,
+         this adds the same logic for the various per-unit memory settings
+         StartupMemoryMax= and related.
+
+       * The service manager gained support for enqueuing POSIX signals to
+         services that carry an additional integer value, exposing the
+         sigqueue() systemd call. This is exposed via new D-Bus calls
+         QueueSignalUnit() (and related), as well as in systemctl via the new
+         --kill-value= parameter.
+
+       * systemd-notify gained a new --exec switch, which makes it execute the
+         specified command line after sending the requested messages. This is
+         useful for sending out READY=1 first, and then continuing invocation
+         without changing process ID, so that the tool can be nicely used
+         within an ExecStart= line of a unit file that uses Type=ready.
+
+       * systemd-repart's drop-in files gained a new ExcludeFiles= option which
+         may be used to exclude certain files from the effect of CopyFiles=,
+         which allows populating newly created partitions automatically.
+
+       * bootctl gained a new switch --print-root-device (or short: -R) that
+         prints the main block device the root file system is backed by. It's
+         useful for invocations such as "cfdisk $(bootctl -R)" to quickly have
+         a look at the partition table of the running OS.
+
+       * systemctl gained a new "list-paths" verb, which shows all currently
+         active .path units, similar to how "systemctl list-timers" shows
+         active timers, and "systemctl list-sockets" shows active sockets.
+
+       * The sd-event API gained new calls sd_event_add_memory_pressure(),
+         sd_event_source_set_memory_pressure_type(),
+         sd_event_source_set_memory_pressure_period() for creating and
+         configuring an event source that is called whenever the OS signals
+         memory pressure. Another call sd_event_trim_memory() is provided that
+         compacts the process' memory use by releasing allocated but unused
+         malloc() memory back to the kernel. This should improve system
+         behaviour under memory pressure, as on Linux traditionally provided no
+         mechanism to return process memory back to the kernel if the kernel
+         was under pressure to acquire some. This makes use of the kernel's PSI
+         interface. Most long-running services that systemd contains have been
+         hooked up with this, and in particular systems with little memory
+         should benefit from this.
+
+       * Service units learnt the new MemoryPressureWatch=,
+         MemoryPressureThresholdSec= for configuring the PSI memory pressure
+         logic individually. If these options are used the
+         $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment
+         variables will be set for the invoked services processes to inform
+         them about the requested memory pressure behaviour. (This is used by
+         the aforementioned sd-events API additions, if set.)
+
+       * systemd-analyze gained a new "malloc" verb that shows the output
+         generated by glibc's malloc_info() on services that support it. Right
+         now, only the service manager has been updated accordingly.
+
+       * systemd-stub will now look for the SMBIOS Type 1 field
+         "io.systemd.stub.kernel-cmdline-extra" and append its value to the
+         kernel command line it invokes. This is useful for VMMs such as qemu
+         to pass additional kernel command lines into the system even when
+         booting via full UEFI.
+
+       * The sd-login API gained a new call sd_session_get_username() for
+         returning the user name who owns a specific login session. It also
+         gained a new call sd_session_get_start_time() for retrieving the time
+         the login session started. A new call sd_uid_get_login_time() returns
+         the time the specified user the time since when they most recently
+         were logged in continously with at least one session.
+
+       * JSON user records gained a new set of fields capabilityAmbientSet and
+         capabilityBoundingSet which contain a list of POSIX capabilities to
+         set for the logged in users in the ambient and bounding sets,
+         respectively. homectl gained the ability to configure these two sets
+         for users via --capability-bounding-set=/--capability-ambient-set=.
+
+       * pam_systemd learnt two new module options
+         default-capability-bounding-set= + default-capability-ambient-set= to
+         configure the default bounding sets for users as they are logging in,
+         if the JSON user record doesn't specify this explicitly (see
+         above). The built-in default for the ambient set now contains the
+         CAP_WAKE_ALARM, thus allowing regular users who may log in locally to
+         resume from a system suspend via a timer. (see above)
+
+       * Most of systemd's long-running services now have a generic handler of
+         the SIGRTMIN+18 signal handler which executes various operations
+         depending ont the sigqueue() parameter sent along. For example, values
+         0x100…0x107 allow changing the maximum log level of such
+         services. 0x200…0x203 allow changing the log target of such
+         services. 0x300 make the services trim their memory similar to the
+         automatic PSI triggered action, see above. 0x301 make the services
+         output their malloc_info() data to the logs.
+
+       * systemd-dissect will now show the intended CPU architecture of an
+         inspected DDI.
+
+       * networkd's GENEVE support as gained a new .network optoin
+         InheritInnerProtocol=.
+
+       * systemd-dissect will now install itself as mount helper for the "ddi"
+         pseudo-file type. This means you may now mount DDIs directly via
+         /bin/mount or /etc/fstab, making full use of embedded Verity
+         information and all other DDI features. Example: mount -t ddi
+         myimage.raw /some/where
+
+       * The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new
+         value "auto". If used a kernel will be automatically analyzed, and if
+         it qualifies as UKI it will be installed as if the setting was to set
+         to "uki", otherwise via "bls".
+
+       * udevadm gained the new "verify" verb for validating udev rules files
+         offline.
+
+       * udev will now create symlinks to loopback block devices in the
+         /dev/loop/by-ref/ directory that are based on the .lo_file_name string
+         field selected during allocation. The systemd-dissect tool and the
+         util-linux losetup command now supports a complementing new switch
+         --loop-ref= for selecting the string. This means a loopback block
+         device may now be allocated under a caller chosen reference and can
+         subsequently be referenced by that without having to look up the block
+         device name the caller ended up with first.
+
+       * udev also creates symlinks to loopback block devices in the
+         /dev/loop/by-ref/ directory based on the .st_dev/st_ino fields of the
+         inode attached to the loopback block device. This means that attaching
+         a file to a loopback device will implicitly make a handle available to
+         find it via that file's inode information.
+
+       * The systemd-dissect tool gained the new switches --attach/--detach for
+         attaching a DDI to a loopback block device without mounting it. It
+         will automatically derive the right sector size from the image and set
+         up Verity and similar, but not mount the file systems in it.
+
+       * When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP
+         or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now
+         implied. Given that these file systems are typically untrusted
+         territory this should make mounting them automatically have less of a
+         security impact.
+
+       * If MemoryDenyWriteExecute= is enabled for a service and the kernel
+         supports the new PR_SET_MDWE prctl() call it is used in preference
+         over seccomp() based system call filtering to achieve the same.
+
+       * systemctl gained a new --when= switch which is honoured by the various
+         forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows
+         scheduling these operations by time, similar in fashion to how this
+         has been supported by SysV shutdown.
+
+       * machinectl gained new "edit" and "cat" verbs for editing .nspawn
+         files, inspired by systemctl's verbs of the same which edit unit
+         files.
+
+       Caught up to cafd2c0be404cb8879f91d15e05cc8b695b32629
+
 CHANGES WITH 253:
 
         Announcements of Future Feature Removals and Incompatible Changes: