summaryrefslogtreecommitdiffstats
path: root/TODO
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:35:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:35:18 +0000
commitb750101eb236130cf056c675997decbac904cc49 (patch)
treea5df1a06754bdd014cb975c051c83b01c9a97532 /TODO
parentInitial commit. (diff)
downloadsystemd-b750101eb236130cf056c675997decbac904cc49.tar.xz
systemd-b750101eb236130cf056c675997decbac904cc49.zip
Adding upstream version 252.22.upstream/252.22upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'TODO')
-rw-r--r--TODO2316
1 files changed, 2316 insertions, 0 deletions
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..93963c2
--- /dev/null
+++ b/TODO
@@ -0,0 +1,2316 @@
+Bugfixes:
+
+* Many manager configuration settings that are only applicable to user
+ manager or system manager can be always set. It would be better to reject
+ them when parsing config.
+
+* Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service.
+ Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service.
+ Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service.
+
+External:
+
+* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
+
+* dbus:
+ - natively watch for dbus-*.service symlinks (PENDING)
+ - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
+
+* kernel: add device_type = "fb", "fbcon" to class "graphics"
+
+* /usr/bin/service should actually show the new command line
+
+* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
+
+* neither pkexec nor sudo initialize environ[] from the PAM environment?
+
+* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
+
+* register catalog database signature as file magic
+
+* zsh shell completion:
+ - <command> <verb> -<TAB> should complete options, but currently does not
+ - systemctl add-wants,add-requires
+ - systemctl reboot --boot-loader-entry=
+
+* systemctl status should know about 'systemd-analyze calendar ... --iterations='
+* If timer has just OnInactiveSec=..., it should fire after a specified time
+ after being started.
+
+* write blog stories about:
+ - hwdb: what belongs into it, lsusb
+ - enabling dbus services
+ - how to make changes to sysctl and sysfs attributes
+ - remote access
+ - how to pass throw-away units to systemd, or dynamically change properties of existing units
+ - testing with Harald's awesome test kit
+ - auto-restart
+ - how to develop against journal browsing APIs
+ - the journal HTTP iface
+ - non-cgroup resource management
+ - dynamic resource management with cgroups
+ - refreshed, longer missions statement
+ - calendar time events
+ - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
+ - how to create your own target
+ - instantiated apache, dovecot and so on
+ - hooking a script into various stages of shutdown/rearly booot
+
+Regularly:
+
+* look for close() vs. close_nointr() vs. close_nointr_nofail()
+
+* check for strerror(r) instead of strerror(-r)
+
+* pahole
+
+* set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
+
+* use secure_getenv() instead of getenv() where appropriate
+
+* link up selected blog stories from man pages and unit files Documentation= fields
+
+Janitorial Clean-ups:
+
+* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
+
+* rework mount.c and swap.c to follow proper state enumeration/deserialization
+ semantics, like we do for device.c now
+
+* get rid of prefix_roota() and similar, only use chase_symlinks() and related
+ calls instead.
+
+* get rid of basename() and replace by path_extract_filename()
+
+Deprecations and removals:
+
+* Remove any support for booting without /usr pre-mounted in the initrd entirely.
+ Update INITRD_INTERFACE.md accordingly.
+
+* 2019-10 – Remove POINTINGSTICK_CONST_ACCEL references from the hwdb, see #9573
+
+* remove cgrouspv1 support EOY 2023. As per
+ https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html
+ and then rework cgroupsv2 support around fds, i.e. keep one fd per active
+ unit around, and always operate on that, instead of cgroup fs paths.
+
+* drop support for kernels that lack ambient capabilities support (i.e. make
+ 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which
+ is only supported for such old kernels.
+
+* drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel
+ 5.6 becomes our baseline). See
+ https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for
+ details. Maybe before that: at taint-flags/warn about kernels that lack
+ getrandom()/environments where it is blocked.
+
+* drop support for LOOP_CONFIGURE-less loopback block devices, once kernel
+ baseline is 5.8.
+
+* drop fd_is_mount_point() fallback mess once we can rely on
+ STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8
+
+* rework our PID tracking in services and so on, to be strictly based on pidfd,
+ once kernel baseline is 5.13.
+
+* ~2023: remove support for TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT
+
+* H2 2023: remove support for unmerged-usr
+
+Features:
+
+* sd-stub: add ".bootcfg" section for kernel bootconfig data (as per
+
+* tpm2: add (optional) support for generating a local signing key from PCR 15
+ state. use private key part to sign PCR 7+14 policies. stash signatures for
+ expected PCR7+14 policies in EFI var. use public key part in disk encryption.
+ generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
+ securely bind against SecureBoot/shim state, without having to renroll
+ everything on each update (but we still have to generate one sig on each
+ update, but that should be robust/idempotent). needs rollback protection, as
+ usual.
+
+* Lennart: big blog story about DDIs
+
+* Lennart: big blog story about building initrds
+
+* Lennart: big blog story about "why systemd-boot"
+
+* bpf: see if we can use BPF to solve the syslog message cgroup source problem:
+ one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to
+ implicitly contain the source cgroup id. Another idea would be to patch
+ sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target
+ sockaddr.
+
+* bpf: see if we can address opportunistic inode sharing of immutable fs images
+ with BPF. i.e. if bpf gives us power to hook into openat() and return a
+ different inode than is requested for which we however it has same contents
+ then we can use that to implement opportunistic inode sharing among DDIs:
+ make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also
+ dictate that DDIs should come with a top-level subdir where all reg files are
+ linked into by their SHA256 sum. Then, whenever an inode is opened with the
+ xattr set, check bpf table to find dirs with hashes for other prior DDIs and
+ try to use inode from there.
+
+* dissect too: add --with switch that will invoke a command with the image
+ mounted, and as current working directory. Terminate once done.
+
+* extend the verity signature partition to permit multiple signatures for the
+ same root hash, so that people can sign a single image with multiple keys.
+
+* consider adding a new partition type, just for /opt/ for usage in system
+ extensions
+
+* gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to
+ kernel. So far we only did this for the various --image= switches, but not
+ for the root fs or /usr/.
+
+* extend systemd-measure with an --append= mode when signing expected PCR
+ measurements. In this mode the tool should read an existing signature JSON
+ object (which primarily contains an array with the actual signature data),
+ and then append the new signature to it instead of writing out an entirely
+ JSON object. Usecase: it might make sense to to sign a UKI's expected PCRs
+ with different keys for different boot phases. i.e. use keypair X for signing
+ the expected PCR in the initrd boot phase and keypair Y for signing the
+ expected PCR in the main boot phase. Via the --append logic we could merge
+ these signatures into one object, and then include the result in the UKI.
+ Then, if you bind a LUKS volume to public key X it really only can be
+ unlocked during early boot, and you bind a LUKS volume to public key Y it
+ really only can be unlocked during later boot, and so on.
+
+* dissection policy should enforce that unlocking can only take place by
+ certain means, i.e. only via pw, only via tpm2, or only via fido, or a
+ combination thereof.
+
+* make the systemd-repart "seed" value provisionable via credentials, so that
+ confidential computing environments can set it and deterministically
+ enforce the uuids for partitions created, so that they can calculate PCR 15
+ ahead of time.
+
+* systemd-repart: also derive the volume key from the seed value, for the
+ aforementioned purpose.
+
+* in the initrd: derive the default machine ID to pass to the host PID 1 via
+ $machine_id from the same seed credential.
+
+* Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the
+ initrd to bootstrap the initrd to populate the initial partitions. Some things
+ to figure out:
+ - Should it run on firstboot or on every boot?
+ - If run on every boot, should it use the sysupdate config from the host on
+ subsequent boots?
+
+* hook up journald with TPMs? measure new journal records to the TPM in regular
+ intervals, validate the journal against current TPM state with that. (taking
+ inspiration from IMA log)
+
+* provide an API to apps to encrypt/decrypt credentials. usecase: allow
+ bluez bluetooth daemon to pass pairings to initrd that way, without shelling
+ out to our tools.
+
+* revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
+ use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
+ safe bet, given that it should change only on policy changes, and not
+ software updates. But that's wrong. Recent fwupd (rightfully) contains code
+ for updating the dbx denylist. This means even without any active policy
+ change PCR 7 might change. Hence, better idea might be in systemd-creds to
+ default to PCR 15 at least if sd-stub is used (i.e. bind to system identity),
+ and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should
+ be included as much as PCR 7 (as it contains shim's policy, which is
+ certainly as relevant as PCR 7 on many systems)
+
+* move discoverable partition spec and boot loader spec over to uapi group
+
+* maybe measure UUIDs of important mounted file systems (after mount, via the
+ new ioctls to query them) into PCR 15? Add "x-systemd.measure-pcr=" or so for
+ this that pulls in a per mount service?
+
+* measure /etc/machine-id during early boot into PCR 15?
+
+* To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab
+ (measuring the root hash) and integritytab (measuring the HMAC key if one is
+ used)
+
+* We should start measuring all services, containers, and system extensions we
+ activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to
+ systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement
+ of the activated configuration and the image that is being activated (in case
+ verity is used, hash of the root hash).
+
+* whenever we measure something into a TPM PCR from userspace, write a record in
+ TCG's "Canonical Event Log" format to some file, so that we can reason about
+ how PCR values we manage came to
+ be. https://trustedcomputinggroup.org/resource/canonical-event-log-format/
+
+* bootspec: permit graceful "update" from type #2 to type #1. If both a type #1
+ and a type #2 entry exist under otherwise the exact same name, then use the
+ type #1 entry, and ignore the type #2 entry. This way, people can "upgrade"
+ from the UKI with all parameters baked in to a Type #1 .conf file with manual
+ parametrization, if needed. This matches our usual rule that admin config
+ should win over vendor defaults.
+
+* sd-stub: optionally allow users to configure manual kernel command line even
+ in SecureBoot by authenticating it via shim's APIs, integrating with MOK and
+ similar: instead of authenticating just PE code shim should be capable of
+ authenticating any kind of data for us, including files containing kernel
+ command lines.
+
+* write a "search path" spec, that documents the prefixes to search in
+ (i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to
+ sort found entries, how masking works and overriding.
+
+* automatic boot assessment: add one more default success check that just waits
+ for a bit after boot, and blesses the boot if the system stayed up that long.
+
+* implement concept of "versioned" resources inside a dir, and write a spec for
+ it. Make all tools in systemd, in particular
+ RootImage=/RootDirectory=/--image=/--directory= implement this. Idea:
+ directories ending in ".v/" indicate a directory with versioned resources in
+ them. Versioned resources inside a .v dir are always named in the pattern
+ <prefix>_<version>[+<tries-left>[-<tries-done>]].<suffix>
+
+* add support for using this .v/ logic on the root fs itself: in the initrd,
+ after mounting the rootfs, look for root-<arch>.v/ in the root fs, and then
+ apply the logic, moving the switch root logic there.
+
+* systemd-repart: add support for generating ISO9660 images
+
+* systemd-repart: in addition to the existing "factory reset" mode (which
+ simply empties existing partitions marked for that). add a mode where
+ partitions marked for it are entirely removed. Usecase: remove secondary OS
+ copy, and redundant partitions entirely, and recreate them anew.
+
+* systemd-boot: maybe add support for collapsing menu entries of the same OS
+ into one item that can be opened (like in a "tree view" UI element) or
+ collapsed. If only a single OS is installed, disable this mode, but if
+ multiple OSes are installed might make sense to default to it, so that user
+ is not immediately bombarded with a multitude of Linux kernel versions but
+ only one for each OS.
+
+* systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire
+ disk) is set to all FFFFF then use this as trigger for factory reset, in
+ addition to the existing mechanisms via EFI variables and kernel command
+ line. Benefit: works also on non-EFI systems, and can be requested on one
+ boot, for the next.
+
+* figure out a sane way when building UKIs how to extract SBAT data from inner
+ kernel, extend it with component info, and add to outer kernel.
+
+* systemd-sysupdate: make transport pluggable, so people can plug casync or
+ similar behind it, instead of http.
+
+* systemd-tmpfiles: add concept for conditionalizing lines on factory reset
+ boot, or on first boot.
+
+* in UKIs: add way to define allowlist of additional words that can be added to
+ the kernel cmdline even in SecureBoot mode
+
+* we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
+ which contains a separate public key for PCR values that only apply in the
+ initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
+ can easily bind resources to just the initrd. Similar, maybe one more for
+ "enter-initrd:leave-initrd" for resources that shall be accessible only
+ before unprivileged user code is allowed. (we only need this for .pcrpkey,
+ not for .pcrsig, since the latter is a list of signatures anyway). With that,
+ when you enroll a LUKS volume or similar, pick either the .pcrkey (for
+ coverage through all phases of the boot, but excluding shutdown), the
+ .pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage
+ until users are allowed to log in).
+
+* Once the root fs LUKS volume key is measured into PCR 15, default to binding
+ credentials to PCR 15 in "systemd-creds"
+
+* add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
+ an encrypted image on some host given a public key belonging to a specific
+ other host, so that only hosts possessing the private key in the TPM2 chip
+ can decrypt the volume key and activate the volume. Usecase: systemd-syscfg
+ for a central orchestrator to generate syscfg images securely that can only
+ be activated on one specific host (which can be used for installing a bunch
+ of creds in /etc/credstore/ for example). Extending on this: allow binding
+ LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
+ prepare a syscfg image that can only be activated on a specific host that
+ runs a specific software in a specific time window. syscfg would be
+ automatically invalidated outside of it.
+
+* maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of
+ current system state, i.e. a combination of PCR information, local system
+ time and TPM clock, running services, recent high-priority log
+ messages/coredumps, system load/PSI, signed by the local TPM chip, to form an
+ enhanced remote attestation quote. Usecase: a simple orchestrator could use
+ this: have the report tool upload these reports every 3min somewhere. Then
+ have the orchestrator collect these reports centrally over a 3min time
+ window, and use them to determine what which node should now start/stop what,
+ and generate a small syscfg for each node, that uses Uphold= to pin services
+ on each node. The syscfg would be encrypted using the asymmetric encryption
+ proposed above, so that it can only be activated on the specific host, if the
+ software is in a good state, and within a specific time frame. Then run a
+ loop on each node that sends report to orchestrator and then sysupdate to
+ update syscfg. Orchestrator would be stateless, i.e. operate on desired
+ config and collected reports in the last 3min time window only, and thus can
+ be trivially scaled up since all instances of the orchestrator should come to
+ the same conclusions given the same inputs of reports/desired workload info.
+ Could also be used to deliver Wireguard secrets and thus to clients, thus
+ permitting zero-trust networking: secrets are rolled over via syscfg updates,
+ and via the time window TPM logic invalidated if node doesn't keep itself
+ updated, or becomes corrupted in some way.
+
+* Always measure the LUKS rootfs volume key into PCR 15, and derive the machine
+ ID from it securely. This would then allow us to bind secrets a specific
+ system securely.
+
+* nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image=
+ hash into its PCR 11, so that nspawn instances can be TPM enabled, and
+ partake in measurements/remote attestation and such. swtpm would run outside
+ of control of container, and ideally would itself bind its encryption keys to
+ host TPM.
+
+* tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
+ of manually hooking into SIGINT/SIGTERM
+
+* tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK
+ instead of manual blocking.
+
+* sd-boot: for each installed OS, grey out older entries (i.e. all but the
+ newest), to indicate they are obsolete
+
+* automatically propagate LUKS password credential into cryptsetup from host
+ (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor
+ supplied password.
+
+* add ability to path_is_valid() to classify paths that refer to a dir from
+ those which may refer to anything, and use that in various places to filter
+ early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
+ directory, and paths ending that way can be refused early in many contexts.
+
+* systemd-measure: allow operating with PEM certificates in addition to PEM
+ public keys when signing PCR values. SecureBoot and our Verity signatures
+ operate with certificates already, hence I guess we should also just deal for
+ convencience with certificates for the PCR stuff too.
+
+* systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
+ would just use the same public key specified with --public-key= (or the one
+ automatically derived from --private-key=).
+
+* tmpfiles: add new line type for setting btrfs subvolume attributes (i.e. rw/ro)
+
+* tmpfiles: add new line type for setting fcaps
+
+* push people to use ".sysext.raw" as suffix for sysext DDIs (DDI =
+ discoverable disk images, i.e. the new name for gpt disk images following the
+ discoverable disk spec). [Also: just ".sysext/" for directory-based sysext]
+
+* Add "purpose" flag to partition flags in discoverable partition spec that
+ indicate if partition is intended for sysext, for portable service, for
+ booting and so on. Then, when dissecting DDI allow specifying a purpose to
+ use as additional search condition. Usecase: images that combined a sysext
+ partition with a portable service partition in one.
+
+* On boot, auto-generate an asymmetric key pair from the TPM,
+ and use it for validating DDIs and credentials. Maybe upload it to the kernel
+ keyring, so that the kernel does this validation for us for verity and kernel
+ modules
+
+* for systemd-syscfg: add a tool that can generate suitable DDIs with verity +
+ sig using squashfs-tools-ng's library. Maybe just systemd-repart called under
+ a new name with a built-in config?
+
+* gpt-auto: generate mount units that reference partitions via
+ /dev/disk/by-diskseq/… so that they can't be swapped out behind our back.
+
+* lock down acceptable encrypted credentials at boot, via simple allowlist,
+ maybe on kernel command line:
+ systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
+ down kernels from credentials generated on the host with a weak kernel
+
+* Add support for extra verity configuration options to systemd-repart (FEC,
+ hash type, etc)
+
+* chase_symlinks(): take inspiraton from path_extract_filename() and return
+ O_DIRECTORY if input path contains trailing slash.
+
+* chase_symlinks(): refuse resolution if trailing slash is specified on input,
+ but final node is not a directory
+
+* chase_symlinks(): add new flag that simply refuses all symlink use in a path,
+ then use that for accessing XBOOTLDR/ESP
+
+* document in boot loader spec that symlinks in XBOOTLDR/ESP are not OK even if
+ non-VFAT fs is used.
+
+* measure credentials picked up from SMBIOS to some suitable PCR
+
+* measure GPT and LUKS headers somewhere when we use them (i.e. in
+ systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
+
+* pick up creds from EFI vars
+
+* sd-stub/sd-boot: write RNG seed to LINUX_EFI_RANDOM_SEED_TABLE_GUID config
+ table as well. (and possibly drop our efi var). Current kernels will pick up
+ the seed from there already, if EFI_RNG_PROTOCOL is not implemented by
+ firmware.
+
+* sd-boot: include domain specific hash string in hash function for random seed
+ plus sizes of everything. also include DMI/SMBIOS blob
+
+* sd-stub: invoke random seed logic the same way as in sd-boot, except if
+ random seed EFI variable is already set. That way, the variable set will be
+ set in all cases: if you just use sd-stub, or just sd-boot, or both.
+
+* sd-boot: we probably should include all BootXY EFI variable defined boot
+ entries in our menu, and then suppress ourselves. Benefit: instant
+ compatibility with all other OSes which register things there, in particular
+ on other disks. Always boot into them via NextBoot EFI variable, to not
+ affect PCR values.
+
+* systemd-measure tool:
+ - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
+
+* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
+ "supercharged" sd-boot binary, that could carry ext4 drivers built-in.
+
+* sd-bus: document that sd_bus_process() only returns messages that non of the
+ filters/handlers installed on the connection took possession of.
+
+* sd-device: add an API for acquiring list of child devices, given a device
+ objects (i.e. all child dirents that dirs or symlinks to dirs)
+
+* sd-device: maybe pin the sysfs dir with an fd, during the entire runtime of
+ an sd_device, then always work based on that.
+
+* add small wrapper around qemu that implements sd_notify/AF_VSOCK + machined and
+ maybe some other stuff and boots it
+
+* maybe add new flags to gpt partition tables for rootfs and usrfs indicating
+ purpose, i.e. whether something is supposed to be bootable in a VM, on
+ baremetal, on an nspawn-style container, if it is a portable service image,
+ or a sysext for initrd, for host os, or for portable container. Then hook
+ portabled/… up to udev to watch block devices coming up with the flags set, and
+ use it.
+
+* sd-boot should look for information what to boot in SMBIOS, too, so that VM
+ managers can tell sd-boot what to boot into and suchlike
+
+* PID 1 should look for an SMBIOS variable that encodes an AF_VSOCK address it
+ should send sd_notify() ready notifications to. That way a VMM can boot up a
+ system, and generically know when it finished booting.
+
+* add "systemd-sysext identify" verb, that you can point on any file in /usr/
+ and that determines from which overlayfs layer it originates, which image, and with
+ what it was signed.
+
+* journald: generate recognizable log events whenever we shutdown journald
+ cleanly, and when we migrate run → var. This way tools can verify that a
+ previous boot terminated cleanly, because either of these two messages must
+ be safely written to disk, then.
+
+* systemd-creds: extend encryption logic to support asymmetric
+ encryption/authentication. Idea: add new verb "systemd-creds public-key"
+ which generates a priv/pub key pair on the TPM2 and stores the priv key
+ locally in /var. It then outputs a certificate for the pub part to stdout.
+ This can then be copied/taken elsewhere, and can be used for encrypting creds
+ that only the host on its specific hw can decrypt. Then, support a drop-in
+ dir with certificates that can be used to authenticate credentials. Flow of
+ operations is then this: build image with owner certificate, then after
+ boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
+ Then, when passing data to the machine, sign with privkey belonging to one of
+ the dropped in certs and encrypted with machine pubkey, and pass to machine.
+ Machine is then able to authenticate you, and confidentiality is guaranteed.
+
+* building on top of the above, the pub/priv key pair generated on the TPM2
+ should probably also one you can use to get a remote attestation quote.
+
+* bootctl: add "gc" verb that loads all type #1 .conf files, and then removes
+ all files from the set of files from the ESP/XBOOTLDR matching the entry
+ token that are not referenced by any. Then, change kernel-install to use only
+ this to remove auxiliary files, and never remove them explicitly. Benefit:
+ resources such as initrds/kernels/dtb can be shared between entries.
+
+* Process credentials in:
+ • networkd/udevd: add a way to define additional .link, .network, .netdev files
+ via the credentials logic.
+ • fstab-generator: allow defining additional fstab-like mounts via
+ credentials (similar: crypttab-generator, verity-generator,
+ integrity-generator)
+ • getty-generator: allow defining additional getty instances via a credential
+ • run-generator: allow defining additional commands to run via a credential
+ • resolved: allow defining additional /etc/hosts entries via a credential (it
+ might make sense to then synthesize a new combined /etc/hosts file in /run
+ and bind mount it on /etc/hosts for other clients that want to read it.
+ Similar, allow picking up DNS server IP addresses from credential.
+ • repart: allow defining additional partitions via credential
+ • timesyncd: pick NTP server info from credential
+ • portabled: read a credential "portable.extra" or so, that takes a list of
+ file system paths to enable on start.
+ • make systemd-fstab-generator look for a system credential encoding root= or
+ usr=
+ • systemd-homed: when initializing, look for a credential
+ systemd.homed.register or so with JSON user records to automatically
+ register if not registered yet. Usecase: deploy a system, and add an
+ account one can directly log into.
+ • initialize machine ID from systemd credential picked up from the ESP via
+ sd-stub, so that machine ID is stable even on systems where unified kernels
+ are used, and hence kernel cmdline cannot be modified locally
+ • in gpt-auto-generator: check partition uuids against such uuids supplied via
+ sd-stub credentials. That way, we can support parallel OS installations with
+ pre-built kernels.
+
+* define a JSON format for units, separating out unit definitions from unit
+ runtime state. Then, expose it:
+
+ 1. Add Describe() method to Unit D-Bus object that returns a JSON object
+ about the unit.
+ 2. Expose this natively via Varlink, in similar style
+ 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor
+ binary which reads the JSON definition and runs it), to address the cow
+ trap issue and the fact that NSS is actually forbidden in
+ forked-but-not-exec'ed children
+ 4. Add varlink API to run transient units based on provided JSON definitions
+
+* show SUPPORT_END= data in "hostnamectl" output (and thus also expose a prop
+ for this on dbus)
+
+* Add SUPPORT_END_URL= field to os-release with more *actionable* information
+ what to do if support ended
+
+* pam_systemd: on interactive logins, maybe show SUPPORT_END information at
+ login time, à la motd
+
+* sd-boot: instead of unconditionally deriving the ESP to search boot loader
+ spec entries in from the paths of sd-boot binary, let's optionally allow it
+ to be configured on sd-boot cmdline + efi var. Usecase: embed sd-boot in the
+ UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
+ use it to load stuff from the ESP.
+
+* mount /var/ from initrd, so that we can apply sysext and stuff before the
+ initrd transition. Specifically:
+ 1. There should be a var= kernel cmdline option, matching root= and usr=
+ 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
+ 3. mount.x-initrd mount option in fstab should be implied for /var
+
+* implement varlink introspection
+
+* we should probably drop all use of prefix_roota() and friends, and use
+ chase_symlinks() instead
+
+* make persistent restarts easier by adding a new setting OpenPersistentFile=
+ or so, which allows opening one or more files that is "persistent" across
+ service restarts, hot reboot, cold reboots (depending on configuration): the
+ files are created empty on first invocation, and on subsequent invocations
+ the files are reboot. The files would be backed by tmpfs, pmem or /var
+ depending on desired level of persistency.
+
+* sd-event: add ability to "chain" event sources. Specifically, add a call
+ sd_event_source_chain(x, y), which will automatically enable event source y
+ in oneshit mode once x is triggered. Use case: in src/core/mount.c implement
+ the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
+ seen, trigger the rescan defer event source automatically, and allow it to be
+ dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
+ dispatch order is strictly controlled by priorities again. (next step: chain
+ event sources to the ratelimit being over)
+
+* if we fork of a service with StandardOutput=journal, and it forks off a
+ subprocess that quickly dies, we might not be able to identify the cgroup it
+ comes from, but we can still derive that from the stdin socket its output
+ came from. We apparently don't do that right now.
+
+* add ability to set hostname with suffix derived from machine id at boot
+
+* add PR_SET_DUMPABLE service setting
+
+* homed/userdb: maybe define a "companion" dir for home directories where apps
+ can safely put privileged stuff in. Would not be writable by the user, but
+ still conceptually belong to the user. Would be included in user's quota if
+ possible, even if files are not owned by UID of user. Usecase: container
+ images that owned by arbitrary UIDs, and are owned/managed by the users, but
+ are not directly belonging to the user's UID. Goal: we shouldn't place more
+ privileged dirs inside of unprivileged dirs, and thus containers really
+ should not be placed inside of traditional UNIX home dirs (which are owned by
+ users themselves) but somewhere else, that is separate, but still close
+ by. Inform user code about path to this companion dir via env var, so that
+ container managers find it. the ~/.identity file is also a candidate for a
+ file to move there, since it is managed by privileged code (i.e. homed) and
+ not unprivileged code.
+
+* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
+ that hooks up userbdctl ssh-key stuff.
+
+* maybe add support for binding and connecting AF_UNIX sockets in the file
+ system outside of the 108ch limit. When connecting, open O_PATH fd to socket
+ inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
+ to target dir in /tmp, and bind through it.
+
+* add a proper concept of a "developer" mode, i.e. where cryptographic
+ protections of the root OS are weakened after interactive confirmation, to
+ allow hackers to allow their own stuff. idea: allow entering developer mode
+ only via explicit choice in boot menu: i.e. add explicit boot menu item for
+ it. when developer mode is entered generate a key pair in the TPM2, and add
+ the public part of it automatically to keychain of valid code signature keys
+ on subsequent boots. Then provide a tool to sign code with the key in the
+ TPM2. Ensure that boot menu item is only way to enter developer mode, by
+ binding it to locality/PCRs so that that keys cannot be generated otherwise.
+
+* services: add support for cryptographically unlocking per-service directories
+ via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
+ set up the directory so that it can only be accessed if host and app are in
+ order.
+
+* TPM2: extend unlock policy to protect against version downgrades in signed
+ policies: policy probably must take some nvram based generation counter into
+ account that can only monotonically increase and can be used to invalidate
+ old PCR signatures. Otherwise people could downgrade to old signed PCR sets
+ whenever they want.
+
+* update HACKING.md to suggest developing systemd with the ideas from:
+ https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
+ https://0pointer.net/blog/running-an-container-off-the-host-usr.html
+
+* add a clear concept how the initrd can make up credentials on their own to
+ pass to the system when transitioning into the host OS. usecase: things like
+ cloud-init/ignitation and similar can parameterize the host with data they
+ acquire.
+
+* sd-event: compat wd reuse in inotify code: keep a set of removed watch
+ descriptors, and clear this set piecemeal when we see the IN_IGNORED event
+ for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
+ see an inotify wd event check against this set, and if it is contained ignore
+ the event. (to be fully correct this would have to count the occurrences, in
+ case the same wd is reused multiple times before we start processing
+ IN_IGNORED again)
+
+* systemd-fstab-generator: support addition mount specifications via kernel
+ cmdline. Usecase: invoke a VM, and mount a host homedir into it via
+ virtio-fs.
+
+* for vendor-built signed initrds:
+ - make sysext run in the initrd
+ - sysext should pick up sysext images from /.extra/ in the initrd, and insist
+ on verification if in secureboot mode
+ - kernel-install should be able to install pre-built unified kernel images in
+ type #2 drop-in dir in the ESP.
+ - kernel-install should be able install encrypted creds automatically for
+ machine id, root pw, rootfs uuid, resume partition uuid, and place next to
+ EFI kernel, for sd-stub to pick them up. These creds should be locked to
+ the TPM, and bind to the right PCR the kernel is measured to.
+ - kernel-install should be able to pick up initrd sysexts automatically and
+ place them next to EFI kernel, for sd-stub to pick them up.
+ - systemd-fstab-generator should look for rootfs device to mount in creds
+ - pid 1 should look for machine ID in creds
+ - systemd-resume-generator should look for resume partition uuid in creds
+ - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*)
+ and synthesize initrd from it, and measure it. Signing is not necessary, as
+ microcode does that on its own. Pass as first initrd to kernel.
+
+* Add a new service type very similar to Type=notify, that goes one step
+ further and extends the protocol to cover reloads. Specifically, SIGHUP will
+ become the official way to reload, and daemon has to respond with sd_notify()
+ to report when it starts reloading, and when it is complete reloading. Care
+ must be taken to remove races from this model. I.e. PID 1 needs to take
+ CLOCK_MONOTONIC, then send SIGHUP, then wait for at least one RELOADING=1
+ message that comes with a newer timestamp, then wait for a READY=1 message.
+ while we are at it, also maybe extend the logic to require handling of some
+ specific SIGRT signal for setting debug log level, that carries the level via
+ the sigqueue() data parameter. With that we extended with minimal logic the
+ service runtime logic quite substantially.
+
+* firstboot: maybe just default to C.UTF-8 locale if nothing is set, so that we
+ don't query this unnecessarily in entirely uninitialized
+ containers. (i.e. containers with empty /etc).
+
+* beef up sd_notify() to support AV_VSOCK in $NOTIFY_SOCKET, so that VM
+ managers can get ready notifications from VMs, just like container managers
+ from their payload. Also pick up address from qemu/fw_cfg if set there.
+ (which has benefits, given SecureBoot and kernel cmdline are not necessarily
+ friends.)
+
+* mirroring this: maybe support binding to AV_VSOCK in Type=notify services,
+ then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
+ fixed to "2", i.e. the official host cid) and the expected guest cid, for the
+ two sides of the channel. The latter env var could then be used in an
+ appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
+ directly to host service manager.
+
+* maybe write a tool that binds an AF_VFSOCK socket, then invokes qemu,
+ extending the command line to enable vsock on the VM, and using fw_cfg to
+ configure socket address.
+
+* sd-boot: rework random seed handling following recent kernel changes: always
+ pass seed to kernel, but credit only if secure boot is used
+
+* sd-boot: also include the hyperv "vm generation id" in the random seed hash,
+ to cover nicely for machine clones. It's found in the ACPI tables, which
+ should be easily accessible from UEFI.
+
+* sd-boot: add menu item for shutdown? or hotkey?
+
+* sd-device has an API to create an sd_device object from a device id, but has
+ no api to query the device id
+
+* sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
+ sd_device object, so that data passed into sd_device_new_from_devnum() can
+ also be queried.
+
+* sd-event: optionally, if per-event source rate limit is hit, downgrade
+ priority, but leave enabled, and once ratelimit window is over, upgrade
+ priority again. That way we can combat event source starvation without
+ stopping processing events from one source entirely.
+
+* sd-event: similar to existing inotify support add fanotify support (given
+ that apparently new features in this area are only going to be added to the
+ latter).
+
+* sd-event: add 1st class event source for clock changes
+
+* sd-event: add 1st class event source for timezone changes
+
+* support uefi/http boots with sd-boot: instead of looking for dropin files in
+ /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that
+ as directory manifest. The file would be a standard directory listing as
+ generated by GNU sha256sums.
+
+* sd-boot: maybe add support for embedding the various auxiliary resources we
+ look for right in the sd-boot binary. i.e. take inspiration from sd-stub
+ logic: allow combining sd-boot via objcopy with kernels to enumerate, .conf
+ files, drivers, keys to enroll and so on. Then, add whatever we find that way
+ to the menu. Usecase: allow building a single PE image you can boot into via
+ UEFI HTTP boot.
+
+* maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but
+ all it does is download a file from a http server, and execute it, after
+ optionally checking its hash sum. idea would be: combine this "sd-http" stub
+ binary with some minimal info about an URL + hash sum, plus .osrel data, and
+ drop it into the unified kernel dir in the ESP. And bam you have something
+ that is tiny, feels a lot like a unified kernel, but all it does is chainload
+ the real kernel. benefit: downloading these stubs would be tiny and quick,
+ hence cheap for enumeration.
+
+* sysext: measure all activated sysext into a TPM PCR
+
+* maybe add a "syscfg" concept, that is almost entirely identical to "sysext",
+ but operates on /etc/ instead of /usr/ and /opt/. Use case would be: trusted,
+ authenticated, atomic, additive configuration management primitive: drop in a
+ configuration bundle, and activate it, so that it is instantly visible,
+ comprehensively.
+
+* systemd-dissect: show available versions inside of a disk image, i.e. if
+ multiple versions are around of the same resource, show which ones. (in other
+ words: show partition labels).
+
+* systemd-nspawn: make boot assessment do something sensible in a
+ container. i.e send an sd_notify() from payload to container manager once
+ boot-up is completed successfully, and use that in nspawn for dealing with
+ boot counting, implemented in the partition table labels and directory names.
+
+* maybe add a generator that reads /proc/cmdline, looks for
+ systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
+ that take an URL as parameter. It then generates service units for
+ systemd-pull calls that download these URLs if not installed yet. usecase:
+ invoke a VM or nspawn container in a way it automatically deploys/runs these
+ images as OS payloads. i.e. have a generic OS image you can point to any
+ payload you like, which is then downloaded, securely verified and run.
+
+* improve scope units to support creation by pidfd instead of by PID
+
+* deprecate cgroupsv1 further (print log message at boot)
+
+* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
+
+* per-service sandboxing option: ProtectIds=. If used, will overmount
+ /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
+ make it harder for the service to identify the host. Depending on the user
+ setting it should be fully randomized at invocation time, or a hash of the
+ real thing, keyed by the unit name or so. Of course, there are other ways to
+ get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
+ ids), so this knob would only be useful in combination with other lockdown
+ options. Particularly useful for portable services, and anything else that
+ uses RootDirectory= or RootImage=. (Might also over-mount
+ /sys/class/dmi/id/*{uuid,serial} with /dev/null).
+
+* journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP,
+ create a structured log entry that contains boot ID, monotonic clock and
+ realtime clock (I mean, this requires no special work, as these three fields
+ are implicit). Then in journalctl when attempting to display the realtime
+ timestamp of a log entry, first search for the closest later log entry
+ of this kinda that has a matching boot id, and convert the monotonic clock
+ timestamp of the entry to the realtime clock using this info. This way we can
+ retroactively correct the wallclock timestamps, in particular for systems
+ without RTC, i.e. where initially wallclock timestamps carry rubbish, until
+ an NTP sync is acquired.
+
+* kernel-install:
+ - add --all switch for rerunning kernel-install for all installed kernels
+ - maybe add env var that shortcuts kernel-install for installers that want to
+ call it at the end only
+
+* doc: prep a document explaining resolved's internal objects, i.e. Query
+ vs. Question vs. Transaction vs. Stream and so on.
+
+* doc: prep a document explaining PID 1's internal logic, i.e. transactions,
+ jobs, units
+
+* bootspec: bring UEFI and userspace enumeration of bootspec entries back into
+ sync, i.e. parse out architecture field in sd-boot (currently only done in
+ userspace)
+
+* automatically ignore threaded cgroups in cg_xyz().
+
+* add linker script that implicitly adds symbol for build ID and new coredump
+ json package metadata, and use that when logging
+
+* systemd-dissect: show GPT disk UUID in output
+
+* Enable RestrictFileSystems= for all our long-running services (similar:
+ RestrictNetworkInterfaces=)
+
+* Add systemd-analyze security checks for RestrictFileSystems= and
+ RestrictNetworkInterfaces=
+
+* cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
+ internal clock.
+
+* nspawn: optionally set up nftables/iptables routes that forward UDP/TCP
+ traffic on port 53 to resolved stub 127.0.0.54
+
+* man: rework os-release(5), and clearly separate our extension-release.d/ and
+ initrd-release parts, i.e. list explicitly which fields are about what.
+
+* sysext: before applying a sysext, do a superficial validation run so that
+ things are not rearranged to wildy. I.e. protect against accidental fuckups,
+ such as masking out /usr/lib/ or so. We should probably refuse if existing
+ inodes are replaced by other types of inodes or so.
+
+* userdb: when synthesizing NSS records, pick "best" password from defined
+ passwords, not just the first. i.e. if there are multiple defined, prefer
+ unlocked over locked and prefer non-empty over empty.
+
+* maybe add a tool inspired by the GPT auto discovery spec that runs in the
+ initrd and rearranges the rootfs hierarchy via bind mounts, if
+ enabled. Specifically in some top-level dir /@auto/ it will look for
+ dirs/symlinks/subvolumes that are named after their purpose, and optionally
+ encode a version as well as assessment counters, and then mount them into the
+ file system tree to boot into, similar to how we do that for the gpt auto
+ logic. Maybe then bind mount the original root into /.superior or something
+ like that (so that update tools can look there). Further discussion in this
+ thread:
+ https://lists.freedesktop.org/archives/systemd-devel/2021-November/047059.html
+ The GPT dissection logic should automatically enable this tool whenever we
+ detect a specially marked root fs (i.e introduce a new generic root gpt type
+ for this, that is arch independent). The also implement this in the image
+ dissection logic, so that nspawn/RootImage= and so on grok it. Maybe make
+ generic enough so that it can also work for ostrees arrangements.
+
+* if a path ending in ".auto.d/" is set for RootDirectory=/RootImage= then do a
+ strverscmp() of everything inside that dir and use that. i.e. implement very
+ simple version control. Also use this in systemd-nspawn --image= and so on.
+
+* homed: while a home dir is not activated generate slightly different NSS
+ records for it, that reports the home dir as "/" and the shell as some binary
+ provided by us. Then, when an SSH login happens and SSH permits it our binary
+ is invoked. This binary can then talk to homed and activate the homedir if
+ it's not around yet, prompting the user for a password. Once that succeeded
+ we'll switch to the real user record, i.e. home dir and shell, and our tool
+ exec()s the latter. Net effect: ssh'ing into a homed account will just work:
+ we'll neatly prompt for the homedir's password if its needed. –– Building on
+ this we could take this even further: since this tool will potentially have
+ access to the client's ssh-agent (if ssh-agent forwarding is enabled) we
+ could implement SSH unlocking of a homedir with that: when enrolling a new
+ ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
+ with the privkey, then use that as luks key to unlock the home dir. Will not
+ work for ECDSA keys since their signatures contain a random component, but
+ will work for RSA and Ed25519 keys.
+
+* add tiny service that decrypts encrypted user records passed via initrd
+ credential logic and drops them into /run where nss-systemd can pick them up,
+ similar to /run/host/userdb/. Usecase: drop a root user JSON record there,
+ and use it in the initrd to log in as root with locally selected password,
+ for debugging purposes. Other usecase: boot into qemu with regular user
+ mounted from host. maybe put this in systemd-user-sessions.service?
+
+* drop dependency on libcap, replace by direct syscalls based on
+ CapabilityQuintet we already have. (This likely allows us drop drop libcap
+ dep in the base OS image)
+
+* sysext: automatically activate sysext images dropped in via new sd-stub
+ sysext pickup logic. (must insist on verity + signature on those though)
+
+* add concept for "exitrd" as inverse of "initrd", that we can transition to at
+ shutdown, and has similar security semantics. This should then take the place
+ of dracut's shutdown logic. Should probably support sysexts too. Care needs
+ to be taken that the resulting logic ends up in RAM, i.e. is copied out of
+ on-disk storage.
+
+* userdbd: implement an additional varlink service socket that provides the
+ host user db in restricted form, then allow this to be bind mounted into
+ sandboxed environments that want the host database in minimal form. All
+ records would be stripped of all meta info, except the basic UID/name
+ info. Then use this in portabled environments that do not use PrivateUsers=1.
+
+* logind introduce two types of sessions: "heavy" and "light". The former would
+ be our current sessions. But the latter would be a new type of session that
+ is mostly the same but does not pull in user@.service or wait for it. Then,
+ allow configuration which type of session is desired via pam_systemd
+ parameters, and then make user@.service's session one of these "light" ones.
+ People could then choose to make FTP sessions and suchlike "light" if they
+ don't want the service manager to be started for that.
+
+* /etc/veritytab: allow that the roothash column can be specified as fs path
+ including a path to an AF_UNIX path, similar to how we do things with the
+ keys of /etc/crypttab. That way people can store/provide the roothash
+ externally and provide to us on demand only.
+
+* add high-level lockdown level for GPT dissection logic: e.g. an enum that can
+ be ANY (to mount anything), TRUSTED (to require that /usr is on signed
+ verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is
+ on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not
+ allowed). And then maybe some flavours of that that declare what is expected
+ from home/srv/var… Then, add a new cmdline flag to all tools that parse such
+ images, to configure this. Also, add a kernel cmdline option for this, to be
+ honoured by the gpt auto generator.
+
+ Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to
+ only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then
+ minor extension to this, insisting on encryption, for example
+ "systemd.gpt_auto_policy=r+v+h" to require encryption for root and var but not
+ for /home/, and similar. Similar add --image-dissect-policy= to tools that
+ take --image= that take the same short string.
+
+* nspawn: maybe optionally insert .nspawn file as GPT partition into images, so
+ that such container images are entirely stand-alone and can be updated as
+ one.
+
+* we probably should extend the root verity hash of the root fs into some PCR
+ on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
+ it into PCR 12); Similar: we probably should extend the LUKS volume key of
+ the root fs into some PCR on boot. (i.e. maybe add a crypttab option
+ tpm2-measure=15 or so to measure it into PCR 15); once both are in place
+ update gpt-auto-discovery to generate these by default for the partitions it
+ discovers. Static vendor stuff should probably end up in PCR 12 (i.e. the
+ verity hash), with local keys in PCR 15 (i.e. the encryption volume
+ key). That way, we nicely distinguish resources supplied by the OS vendor
+ (i.e. sysext, root verity) from those inherently local (i.e. encryption key),
+ which is useful if they shall be signed separately.
+
+* add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount,
+ what must be read-only, what requires encryption, and what requires
+ authentication.
+
+* in uefi stub: query firmware regarding which PCR banks are being used, store
+ that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify
+ that the selected PCRs actually are used by firmware.
+
+* rework recursive read-only remount to use new mount API
+
+* PAM: pick up authentication token from credentials
+
+* when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
+ data in the image, make sure the image filename actually matches this, so
+ that images cannot be misused.
+
+* New udev block device symlink names:
+ /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used
+ as partition image version string, this is a safe way to reference a specific
+ version of a specific partition type, in particular where related partitions
+ are processed (e.g. verity + rootfs both named "LennartOS_0.7").
+
+* sysupdate:
+ - add fuzzing to the pattern parser
+ - support casync as download mechanism
+ - "systemd-sysupdate update --all" support, that iterates through all components
+ defined on the host, plus all images installed into /var/lib/machines/,
+ /var/lib/portable/ and so on.
+ - figure out what to do about system extensions (i.e. they need to imply an
+ update component, since otherwise system extenion' sysupdate.d/ files would
+ override the host's update files.)
+ - Allow invocation with a single transfer definition, i.e. with
+ --definitions= pointing to a file rather than a dir.
+ - add ability to disable implicit decompression of downloaded artifacts,
+ i.e. a Compress=no option in the transfer definitions
+
+* in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
+
+* DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
+ make dirs appear under right UID.
+
+* systemd-sysext: optionally, run it in initrd already, before transitioning
+ into host, to open up possibility for services shipped like that.
+
+* maybe add a tool that displays most recent journal logs as QR code to scan
+ off screen and run it automatically on boot failures, emergency logs and
+ such. Use DRM APIs directly, see
+ https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
+ for doing that.
+
+* introduce /dev/disk/root/* symlinks that allow referencing partitions on the
+ disk the rootfs is on in a reasonably secure way. (or maybe: add
+ /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
+ already have it.
+
+* whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
+ reception limit the kernel silently enforces.
+
+* add an Open= setting to service unit files that can open arbitrary file
+ system paths at service startup time and pass them to the service process via
+ our usual socket activation protocol. If passed path refers to AF_UNIX
+ socket: connect() to it.
+
+* Similar, ConnectStream= which takes IP addresses and connects to them.
+
+* Similar, Load= which takes literal data in text or base64 format, and puts it
+ into a memfd, and passes that. This enables some fun stuff, such as embedding
+ bash scripts in unit files, by combining Load= with ExecStart=/bin/bash
+ /proc/self/fd/3
+
+* add a ConnectSocket= setting to service unit files, that may reference a
+ socket unit, and which will connect to the socket defined therein, and pass
+ the resulting fd to the service program via socket activation proto.
+
+* Add a concept of ListenStream=anonymous to socket units: listen on a socket
+ that is deleted in the fs. Usecase would be with ConnectSocket= above.
+
+* importd: support image signature verification with PKCS#7 + OpenBSD signify
+ logic, as alternative to crummy gpg
+
+* add "systemd-analyze debug" + AttachDebugger= in unit files: The former
+ specifies a command to execute; the latter specifies that an already running
+ "systemd-analyze debug" instance shall be contacted and execution paused
+ until it gives an OK. That way, tools like gdb or strace can be safely be
+ invoked on processes forked off PID 1.
+
+* expose MS_NOSYMFOLLOW in various places
+
+* credentials system:
+ - acquire from EFI variable?
+ - acquire via via ask-password?
+ - acquire creds via keyring?
+ - pass creds via keyring?
+ - pass creds via memfd?
+ - acquire + decrypt creds from pkcs11?
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
+ - make user manager instances create and use a user-specific key (the one in
+ /var/lib is root-only) and add --user switch to systemd-creds to use it
+
+* add tpm.target or so which is delayed until TPM2 device showed up in case
+ firmware indicates there is one.
+
+* TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
+ and such
+
+* introduce a new group to own TPM devices
+
+* cyptsetup: add option for automatically removing empty password slot on boot
+
+* cryptsetup: optionally, when run during boot-up and password is never
+ entered, and we are on battery power (or so), power off machine again
+
+* cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
+ allow plymouth to abort the waiting and enter pw instead
+
+* make cryptsetup lower --iter-time
+
+* cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
+ "base64:" prefix. Useful in particular for pkcs11 mode.
+
+* cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
+ systemd-makefs.service instead.
+
+* cryptsetup:
+ - cryptsetup-generator: allow specification of passwords in crypttab itself
+ - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
+
+* when configuring loopback netif, and it fails due to EPERM, eat up error if
+ it happens to be set up alright already.
+
+* at boot: check if battery above some threshold, if not power off again after explanation
+
+* userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM
+ for example. And add code that resets ambient caps for all services by
+ default.
+
+* sd-bus: when connecting to some dbus server socker, set originating AF_UNIX
+ socket name in abstract namespace to include "description" string, and pick
+ it up from there in sd_bus_creds logic. i.e. we can use the socket peer
+ address as conduit for some minimal connection metainfo, and use it to
+ restore the "description" logic that kdbus used to have.
+
+* systemd-analyze netif that explains predictable interface (or networkctl)
+
+* Add service setting to run a service within the specified VRF. i.e. do the
+ equivalent of "ip vrf exec".
+
+* change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
+ documented in the pivot_root(2) man page, so that we can drop the /oldroot
+ temporary dir.
+
+* special case some calls of chase_symlinks() to use openat2() internally, so
+ that the kernel does what we otherwise do.
+
+* add a new flag to chase_symlinks() that stops chasing once the first missing
+ component is found and then allows the caller to create the rest.
+
+* make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
+
+* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
+
+* pid1: Move to tracking of main pid/control pid of units per pidfd
+
+* pid1: support new clone3() fork-into-cgroup feature
+
+* pid1: also remove PID files of a service when the service starts, not just
+ when it exits
+
+* make us use dynamically fewer deps for containers in general purpose distros:
+ o turn into dlopen() deps:
+ - p11-kit-trust (always)
+ - kmod-libs (only when called from PID 1)
+ - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
+ - libpam (only when called from PID 1)
+ - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
+ since they are so basic and our defaults)
+ o move into separate libsystemd-shared-iptables.so .so
+ - iptables-libs (only used by nspawn + networkd)
+
+* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
+ Apparently kernel performance is much better with fewer larger seccomp
+ filters than with more smaller seccomp filters.
+
+* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
+ mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
+
+* All tools that support --root= should also learn --image= so that they can
+ operate on disk images directly. Specifically: systemctl, coredumpctl.
+ (Already done: bootctl, systemd-nspawn, systemd-firstboot,
+ systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl)
+
+* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
+
+* seccomp: don't install filters for ABIs that are masked anyway for the
+ specific service
+
+* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
+ exists and responds.
+
+* Maybe add a separate GPT partition type to the discoverable partition spec
+ for "hibernate" partitions, that are exactly like swap partitions but only
+ activated right before hibernation and thus never used for regular swapping.
+
+* socket units: allow creating a udev monitor socket with ListenDevices= or so,
+ with matches, then activate app through that passing socket over
+
+* unify on openssl:
+ - kill gnutls support in resolved
+ - figure out what to do about libmicrohttpd, which has a hard dependency on
+ gnutls
+ - port fsprg over to a dlopen lib, then switch it to openssl
+
+* add growvol and makevol options for /etc/crypttab, similar to
+ x-systemd.growfs and x-systemd-makefs.
+
+* userdb: allow username prefix searches in varlink API, allow realname and
+ realname substr searches in varlink API
+
+* userdb: allow uid/gid range checks
+
+* userdb: allow existence checks
+
+* pid1: activation by journal search expression
+
+* when switching root from initrd to host, set the machine_id env var so that
+ if the host has no machine ID set yet we continue to use the random one the
+ initrd had set.
+
+* sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
+ it for reaping assigned but unknown children. This needs to some special care
+ to operate somewhat sensibly in light of priorities: P_ALL will return
+ arbitrary processes, regardless of the priority we want to watch them with,
+ hence on each event loop iteration check all processes which we shall watch
+ with higher prio explicitly, and then watch the entire rest with P_ALL.
+
+* tweak sd-event's child watching: keep a prioq of children to watch and use
+ waitid() only on the children with the highest priority until one is waitable
+ and ignore all lower-prio ones from that point on
+
+* maybe introduce xattrs that can be set on the root dir of the root fs
+ partition that declare the volatility mode to use the image in. Previously I
+ thought marking this via GPT partition flags but that's not ideal since
+ that's outside of the LUKS encryption/verity verification, and we probably
+ shouldn't operate in a volatile mode unless we got told so from a trusted
+ source.
+
+* coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
+ may be used to mark a whole binary as non-coredumpable. Would fix:
+ https://bugs.freedesktop.org/show_bug.cgi?id=69447
+
+* teach parse_timestamp() timezones like the calendar spec already knows it
+
+* beef up hibernation to optionally do swapon/swapoff immediately before/after
+ the hibernation
+
+* beef up s2h to implement a battery watch loop: instead of entering
+ hibernation unconditionally after coming back from resume make a decision
+ based on the battery load level: if battery level is above a specific
+ threshold, go to suspend again, only hibernate if below it. This means we'd
+ stick to suspend usually, but fall back to hibernation only when battery runs
+ empty (well, subject to our sampling interval). Related to this, check if we
+ can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
+ i.e. see if it can wake up machines from suspend, so that we could resume
+ automatically when the system is low on power and move automatically to
+ hibernation mode. (see
+ https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf
+ section 10.2.2.8 and
+ https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
+ at the end).
+
+* We should probably replace /etc/rc.d/README with a symlink to doc
+ content. After all it is constant vendor data.
+
+* maybe add kernel cmdline params: to force random seed crediting
+
+* introduce a new per-process uuid, similar to the boot id, the machine id, the
+ invocation id, that is derived from process creds, specifically a hashed
+ combination of AT_RANDOM + getpid() + the starttime from
+ /proc/self/status. Then add these ids implicitly when logging. Deriving this
+ uuid from these three things has the benefit that it can be derived easily
+ from /proc/$PID/ in a stable, and unique way that changes on both fork() and
+ exec().
+
+* let's not GC a unit while its ratelimits are still pending
+
+* when killing due to service watchdog timeout maybe detect whether target
+ process is under ptracing and then log loudly and continue instead.
+
+* make rfkill uaccess controllable by default, i.e. steal rule from
+ gnome-bluetooth and friends
+
+* make MAINPID= message reception checks even stricter: if service uses User=,
+ then check sending UID and ignore message if it doesn't match the user or
+ root.
+
+* maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
+ is issued.
+
+* when importing an fs tree with machined, optionally apply userns-rec-chown
+
+* when importing an fs tree with machined, complain if image is not an OS
+
+* Maybe introduce a helper safe_exec() or so, which is to execve() which
+ safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
+ to 1K implicitly, unless explicitly opted-out.
+
+* rework seccomp/nnp logic that even if User= is used in combination with
+ a seccomp option we don't have to set NNP. For that, change uid first whil
+ keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
+
+* when no locale is configured, default to UEFI's PlatformLang variable
+
+* add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
+ usefaultd() and make systemd-analyze check for it.
+
+* paranoia: whenever we process passwords, call mlock() on the memory
+ first. i.e. look for all places we use free_and_erasep() and
+ augment them with mlock(). Also use MADV_DONTDUMP.
+ Alternatively (preferably?) use memfd_secret().
+
+* Move RestrictAddressFamily= to the new cgroup create socket
+
+* maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
+ log.c and sd-journal-send
+
+* optionally: turn on cgroup delegation for per-session scope units
+
+* introduce per-unit (i.e. per-slice, per-service) journal log size limits.
+
+* sd-boot: optionally, show boot menu when previous default boot item has
+ non-zero "tries done" count
+
+* augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
+ contains some identifier for the project, which allows us to include
+ clickable links to source files generating these log messages. The identifier
+ could be some abberviated URL prefix or so (taking inspiration from Go
+ imports). For example, for systemd we could use
+ CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
+ sufficient to build a link by prefixing "http://" and suffixing the
+ CODE_FILE.
+
+* Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
+ make clickable links from log messages carrying a MESSAGE_ID, that lead to
+ some explanatory text online.
+
+* maybe extend .path units to expose fanotify() per-mount change events
+
+* When reloading configuration PID 1 should reset all its properties to the
+ original defaults before calling parse_config()
+
+* hibernate/s2h: make this robust and safe to enable in Fedora by default.
+ Specifically:
+
+ 1. add resume_offset support to the resume code (i.e. support swap files
+ properly)
+ 2. check if swap is on weird storage and refuse if so
+ 3. add auto-detection of hibernation images
+
+* cgroups: use inotify to get notified when somebody else modifies cgroups
+ owned by us, then log a friendly warning.
+
+* beef up log.c with support for stripping ANSI sequences from strings, so that
+ it is OK to include them in log strings. This would be particularly useful so
+ that our log messages could contain clickable links for example for unit
+ files and suchlike we operate on.
+
+* importd: add ability download images for portabled + sysext
+
+* add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
+
+* sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
+ selected user is resolvable in the service even if it ships its own /etc/passwd)
+
+* Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
+ other doesn't. What a disaster. Probably to exclude it.
+
+* Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
+ usually IN_ATTRIB is the right way to watch deleted files, as the former only
+ fires when a file is actually removed from disk, i.e. the link count drops to
+ zero and is not open anymore, while the latter happens when a file is
+ unlinked from any dir.
+
+* port systemctl, busctl, … over to format-table.[ch]'s table formatters
+
+* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
+
+* add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
+
+* introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
+ files and directories that are left writable for a unit, and which are
+ removed after the unit goes down again. A bit like --ephemeral for
+ systemd-nspawn but for system services. If used together with RootImage= this
+ should reflink the image file itself.
+
+ Related: add Ephemeral=<path1> <path2> … which would allow marking
+ specific paths only like this.
+
+* add CopyFile= or so as unit file setting that may be used to copy files or
+ directory trees from the host to the services RootImage= and RootDirectory=
+ environment. Which we can use for /etc/machine-id and in particular
+ /etc/resolv.conf. Should be smart and do something useful on read-only
+ images, for example fall back to read-only bind mounting the file instead.
+
+* show invocation ID in systemd-run output
+
+* bypass SIGTERM state in unit files if KillSignal is SIGKILL
+
+* add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
+ and so on, which would mean we could report errors and such.
+
+* introduce DefaultSlice= or so in system.conf that allows changing where we
+ place our units by default, i.e. change system.slice to something
+ else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
+ be moved somewhere else too. Finally machined and logind should get similar
+ options so that it is possible to move user session scopes and machines to a
+ different slice too by default. Usecase: people who want to put resources on
+ the entire system, with the exception of one specific service. See:
+ https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
+
+* maybe rework get_user_creds() to query the user database if $SHELL is used
+ for root, but only then.
+
+* be stricter with fds we receive for the fdstore: close them asynchronously
+
+* calenderspec: add support for week numbers and day numbers within a
+ year. This would allow us to define "bi-weekly" triggers safely.
+
+* sd-bus: add vtable flag, that may be used to request client creds implicitly
+ and asynchronously before dispatching the operation
+
+* sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
+ only when used. Add unit tests.
+
+* make use of ethtool veth peer info in machined, for automatically finding out
+ host-side interface pointing to the container.
+
+* add some special mode to LogsDirectory=/StateDirectory=… that allows
+ declaring these directories without necessarily pulling in deps for them, or
+ creating them when starting up. That way, we could declare that
+ systemd-journald writes to /var/log/journal, which could be useful when we
+ doing disk usage calculations and so on.
+
+* deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
+
+* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
+ the runtime dir as we maintain for the fdstore: i.e. keep it around as long
+ as the unit is running or has a job queued.
+
+* support projid-based quota in machinectl for containers
+
+* add a way to lock down cgroup migration: a boolean, which when set for a unit
+ makes sure the processes in it can never migrate out of it
+
+* blog about fd store and restartable services
+
+* document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
+
+* rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
+ magic meaning and is no longer upgraded to something else if set explicitly.
+
+* in the long run: permit a system with /etc/machine-id linked to /dev/null, to
+ make it lose its identity, i.e. be anonymous. For this we'd have to patch
+ through the whole tree to make all code deal with the case where no machine
+ ID is available.
+
+* optionally, collect cgroup resource data, and store it in per-unit RRD files,
+ suitable for processing with rrdtool. Add bus API to access this data, and
+ possibly implement a CPULoad property based on it.
+
+* beef up pam_systemd to take unit file settings such as cgroups properties as
+ parameters
+
+* maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage
+ the quota of the user indicated in User= via unit file settings, like the
+ other resource management concepts. Would mix nicely with DynamicUser=1. Or
+ alternatively, do this with projids, so that we can also cover services
+ running as root. Quota should probably cover all the special dirs such as
+ StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
+ is set, plus the whole disk space any image configured with RootImage=.
+
+* In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
+ disks to see if the UID is already in use.
+
+* expose IO accounting data on the bus, show it in systemd-run --wait and log
+ about it in the resource log message
+
+* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
+ creates a static, persistent user rather than a dynamic, transient user. We
+ can leverage code from sysusers.d for this.
+
+* add some optional flag to ReadWritePaths= and friends, that has the effect
+ that we create the dir in question when the service is started. Example:
+
+ ReadWritePaths=:/var/lib/foobar
+
+* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
+ the service cgroup, which is supposed to monitor the service, and when it
+ exits the service is considered failed by its monitor.
+
+* track the per-service PAM process properly (i.e. as an additional control
+ process), so that it may be queried on the bus and everything.
+
+* add a new "debug" job mode, that is propagated to unit_start() and for
+ services results in two things: we raise SIGSTOP right before invoking
+ execve() and turn off watchdog support. Then, use that to implement
+ "systemd-gdb" for attaching to the start-up of any system service in its
+ natural habitat.
+
+* gpt-auto logic: support encrypted swap, add kernel cmdline option to force
+ it, and honour a gpt bit about it, plus maybe a configuration file
+
+* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
+ then use that for the setting used in user@.service. It should be understood
+ relative to the configured default value.
+
+* enable LockMLOCK to take a percentage value relative to physical memory
+
+* Permit masking specific netlink APIs with RestrictAddressFamily=
+
+* define gpt header bits to select volatility mode
+
+* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
+
+* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
+
+* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
+
+* ProtectKeyRing= to take keyring calls away
+
+* RemoveKeyRing= to remove all keyring entries of the specified user
+
+* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
+ on PID 1 with the relevant signals, and makes relevant files in /sys and
+ /proc (such as the sysrq stuff) unavailable
+
+* Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
+ via the new unprivileged Landlock LSM (https://landlock.io)
+
+* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
+
+* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
+ find a way to map the User=/Group= of the service to the right name. This way
+ a user/group for a service only has to exist on the host for the right
+ mapping to work.
+
+* add bus API for creating unit files in /etc, reusing the code for transient units
+
+* add bus API to remove unit files from /etc
+
+* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
+
+* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
+ kernel doesn't support linkat() that replaces existing files, currently)
+
+* transient units: don't bother with actually setting unit properties, we
+ reload the unit file anyway
+
+* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
+
+* cache sd_event_now() result from before the first iteration...
+
+* PID1: find a way how we can reload unit file configuration for
+ specific units only, without reloading the whole of systemd
+
+* add an explicit parser for LimitRTPRIO= that verifies
+ the specified range and generates sane error messages for incorrect
+ specifications.
+
+* when we detect that there are waiting jobs but no running jobs, do something
+
+* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
+
+* there's probably something wrong with having user mounts below /sys,
+ as we have for debugfs. for example, src/core/mount.c handles mounts
+ prefixed with /sys generally special.
+ https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
+
+* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
+
+* docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
+
+* add a job mode that will fail if a transaction would mean stopping
+ running units. Use this in timedated to manage the NTP service
+ state.
+ https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
+
+* The udev blkid built-in should expose a property that reflects
+ whether media was sensed in USB CF/SD card readers. This should then
+ be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
+ picked up by systemd unless they contain a medium. This would mirror
+ the behaviour we already have for CD drives.
+
+* hostnamectl: show root image uuid
+
+* Find a solution for SMACK capabilities stuff:
+ https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
+
+* synchronize console access with BSD locks:
+ https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
+
+* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
+ https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
+
+* figure out when we can use the coarse timers
+
+* maybe allow timer units with an empty Units= setting, so that they
+ can be used for resuming the system but nothing else.
+
+* what to do about udev db binary stability for apps? (raw access is not an option)
+
+* exponential backoff in timesyncd when we cannot reach a server
+
+* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
+
+* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
+
+* add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
+ (throughout the codebase, not only PID1)
+
+* drop nss-myhostname in favour of nss-resolve?
+
+* resolved:
+ - mDNS/DNS-SD
+ - service registration
+ - service/domain/types browsing
+ - avahi compat
+ - DNS-SD service registration from socket units
+ - resolved should optionally register additional per-interface LLMNR
+ names, so that for the container case we can establish the same name
+ (maybe "host") for referencing the server, everywhere.
+ - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
+ - hook up resolved with machined-based address resolution
+
+* refcounting in sd-resolve is borked
+
+* add new gpt type for btrfs volumes
+
+* generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
+
+* a way for container managers to turn off getty starting via $container_headless= or so...
+
+* figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
+
+* For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
+ they run added to the initial transaction and thus confuse Type=idle.
+
+* add bus api to query unit file's X fields.
+
+* gpt-auto-generator:
+ - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
+ - Make /home automount rather than mount?
+
+* add generator that pulls in systemd-network from containers when
+ CAP_NET_ADMIN is set, more than the loopback device is defined, even
+ when it is otherwise off
+
+* MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
+
+* implement Distribute= in socket units to allow running multiple
+ service instances processing the listening socket, and open this up
+ for ReusePort=
+
+* cgroups:
+ - implement per-slice CPUFairScheduling=1 switch
+ - introduce high-level settings for RT budget, swappiness
+ - how to reset dynamically changed unit cgroup attributes sanely?
+ - when reloading configuration, apply new cgroup configuration
+ - when recursively showing the cgroup hierarchy, optionally also show
+ the hierarchies of child processes
+- add settings for cgroup.max.descendants and cgroup.max.depth,
+ maybe use them for user@.service
+
+* transient units:
+ - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
+
+* when we detect low battery and no AC on boot, show pretty splash and refuse boot
+
+* libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
+
+* be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
+
+* rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
+
+* After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
+
+* If we try to find a unit via a dangling symlink, generate a clean
+ error. Currently, we just ignore it and read the unit from the search
+ path anyway.
+
+* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
+
+* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
+
+* load .d/*.conf dropins for device units
+
+* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
+
+* add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
+
+* make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
+
+* verify that the AF_UNIX sockets of a service in the fs still exist
+ when we start a service in order to avoid confusion when a user
+ assumes starting a service is enough to make it accessible
+
+* Make it possible to set the keymap independently from the font on
+ the kernel cmdline. Right now setting one resets also the other.
+
+* and a dbus call to generate target from current state
+
+* investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
+
+* dot output for --test showing the 'initial transaction'
+
+* be able to specify a forced restart of service A where service B depends on, in case B
+ needs to be auto-respawned?
+
+* pid1:
+ - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
+ log both units as UNIT=, so that journalctl -u triggers on both.
+ - generate better errors when people try to set transient properties
+ that are not supported...
+ https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
+ - maybe introduce WantsMountsFor=? Usecase:
+ https://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
+ - recreate systemd's D-Bus private socket file on SIGUSR2
+ - move PAM code into its own binary
+ - when we automatically restart a service, ensure we restart its rdeps, too.
+ - hide PAM options in fragment parser when compile time disabled
+ - Support --test based on current system state
+ - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
+ - after deserializing sockets in socket.c we should reapply sockopts and things
+ - drop PID 1 reloading, only do reexecing (difficult: Reload()
+ currently is properly synchronous, Reexec() is weird, because we
+ cannot delay the response properly until we are back, so instead of
+ being properly synchronous we just keep open the fd and close it
+ when done. That means clients do not get a successful method reply,
+ but much rather a disconnect on success.
+ - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
+ - when a bus name of a service disappears from the bus make sure to queue further activation requests
+ - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
+ processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
+ with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
+
+* unit files:
+ - allow port=0 in .socket units
+ - maybe introduce ExecRestartPre=
+ - add ReloadSignal= for configuring a reload signal to use
+ - implement Register= switch in .socket units to enable registration
+ in Avahi, RPC and other socket registration services.
+ - allow Type=simple with PIDFile=
+ https://bugzilla.redhat.com/show_bug.cgi?id=723942
+ - allow writing multiple conditions in unit files on one line
+ - introduce Type=pid-file
+ - add a concept of RemainAfterExit= to scope units
+ - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
+ - add verification of [Install] section to systemd-analyze verify
+
+* timer units:
+ - timer units should get the ability to trigger when DST changes
+ - Modulate timer frequency based on battery state
+
+* add libsystemd-password or so to query passwords during boot using the password agent logic
+
+* clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
+
+* on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
+
+* make repeated alt-ctrl-del presses printing a dump
+
+* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
+
+* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
+
+* add a pam module that on password changes updates any LUKS slot where the password matches
+
+* test/:
+ - add unit tests for config_parse_device_allow()
+
+* seems that when we follow symlinks to units we prefer the symlink
+ destination path over /etc and /usr. We should not do that. Instead
+ /etc should always override /run+/usr and also any symlink
+ destination.
+
+* when isolating, try to figure out a way how we implicitly can order
+ all units we stop before the isolating unit...
+
+* teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
+
+* Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
+ ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
+ https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
+
+* BootLoaderSpec: Define a way how an installer can figure out whether a BLS
+ compliant boot loader is installed.
+
+* think about requeuing jobs when daemon-reload is issued? usecase:
+ the initrd issues a reload after fstab from the host is accessible
+ and we might want to requeue the mounts local-fs acquired through
+ that automatically.
+
+* systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
+
+* remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
+
+* shutdown logging: store to EFI var, and store to USB stick?
+
+* merge unit_kill_common() and unit_kill_context()
+
+* add a dependency on standard-conf.xml and other included files to man pages
+
+* MountFlags=shared acts as MountFlags=slave right now.
+
+* properly handle loop back mounts via fstab, especially regards to fsck/passno
+
+* initialize the hostname from the fs label of /, if /etc/hostname does not exist?
+
+* sd-bus:
+ - EBADSLT handling
+ - GetAllProperties() on a non-existing object does not result in a failure currently
+ - port to sd-resolve for connecting to TCP dbus servers
+ - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
+ - see if we can drop more message validation on the sending side
+ - add API to clone sd_bus_message objects
+ - longer term: priority inheritance
+ - dbus spec updates:
+ - NameLost/NameAcquired obsolete
+ - path escaping
+ - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
+
+* sd-event
+ - allow multiple signal handlers per signal?
+ - document chaining of signal handler for SIGCHLD and child handlers
+ - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
+ - maybe support iouring as backend, so that we allow hooking read and write
+ operations instead of IO ready events into event loops. See considerations
+ here:
+ http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
+
+* dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
+ should be able to safely try another attempt when the bus call LoadUnit() is invoked.
+
+* maybe do not install getty@tty1.service symlink in /etc but in /usr?
+
+* print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
+
+* mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
+
+* systemd-firstboot: make sure to always use chase_symlinks() before
+ reading/writing files
+
+* firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
+
+* EFI:
+ - honor language efi variables for default language selection (if there are any?)
+ - honor timezone efi variables for default timezone selection (if there are any?)
+ - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
+* bootctl
+ - recognize the case when not booted on EFI
+
+* bootctl,sd-boot: actually honour the "architecture" key
+
+* bootctl:
+ - show whether UEFI audit mode is available
+ - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
+ - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
+
+* kernel-install:
+ - optionally, support generating type #2 entries instead of type #1, including signing them
+
+* logind:
+ - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
+ - logind: wakelock/opportunistic suspend support
+ - Add pretty name for seats in logind
+ - logind: allow showing logout dialog from system?
+ - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
+ - if pam_systemd is invoked by su from a process that is outside of a
+ any session we should probably just become a NOP, since that's
+ usually not a real user session but just some system code that just
+ needs setuid().
+ - logind: make the Suspend()/Hibernate() bus calls wait for the for
+ the job to be completed. before returning, so that clients can wait
+ for "systemctl suspend" to finish to know when the suspending is
+ complete.
+ - logind: when the power button is pressed short, just popup a
+ logout dialog. If it is pressed for 1s, do the usual
+ shutdown. Inspiration are Macs here.
+ - expose "Locked" property on logind session objects
+ - maybe allow configuration of the StopTimeout for session scopes
+ - rename session scope so that it includes the UID. THat way
+ the session scope can be arranged freely in slices and we don't have
+ make assumptions about their slice anymore.
+ - follow PropertiesChanged state more closely, to deal with quick logouts and
+ relogins
+ - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
+ - expose details of boot entries on the bus. In particular, it should be possible
+ to query the list of boot entry titles that bootctl / sd-boot would show.
+ Currently we only expose their identifiers.
+
+* move multiseat vid/pid matches from logind udev rule to hwdb
+
+* logind: rework pam_logind to also do a bus call in case of invocation from
+ user@.service, which returns the XDG_RUNTIME_DIR value, and make this
+ behaviour selectable via pam module option.
+
+* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
+ in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
+
+* journal:
+ - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
+ - journald: also get thread ID from client, plus thread name
+ - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
+ - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
+ - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
+ - declare the local journal protocol stable in the wiki interface chart
+ - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
+ - journald: when dropping msgs due to ratelimit make sure to write
+ "dropped %u messages" not only when we are about to print the next
+ message that works, but already after a short timeout
+ - check if we can make journalctl by default use --follow mode inside of less if called without args?
+ - maybe add API to send pairs of iovecs via sd_journal_send
+ - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
+ - journactl: support negative filtering, i.e. FOOBAR!="waldo",
+ and !FOOBAR for events without FOOBAR.
+ - journal: store timestamp of journal_file_set_offline() in the header,
+ so it is possible to display when the file was last synced.
+ - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
+ - journal: find a way to allow dropping history early, based on priority, other rules
+ - journal: When used on NFS, check payload hashes
+ - journald: add kernel cmdline option to disable ratelimiting for debug purposes
+ - refuse taking lower-case variable names in sd_journal_send() and friends.
+ - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
+ - journal: deal nicely with byte-by-byte copied files, especially regards header
+ - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
+ - Replace utmp, wtmp, btmp, and lastlog completely with journal
+ - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
+ - when a kernel driver logs in a tight loop, we should ratelimit that too.
+ - journald: optionally, log debug messages to /run but everything else to /var
+ - journald: when we drop syslog messages because the syslog socket is
+ full, make sure to write how many messages are lost as first thing
+ to syslog when it works again.
+ - journald: allow per-priority and per-service retention times when rotating/vacuuming
+ - journald: make use of uid-range.h to managed uid ranges to split
+ journals in.
+ - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
+ - improve journalctl performance by loading journal files
+ lazily. Encode just enough information in the file name, so that we
+ do not have to open it to know that it is not interesting for us, for
+ the most common operations.
+ - man: document that corrupted journal files is nothing to act on
+ - rework journald sigbus stuff to use mutex
+ - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
+ services that run under their own user ids, and use User= (but only
+ in a world where userns is ubiquitous since otherwise we cannot
+ invoke those daemons on the host AND in a container anymore). Also,
+ if LimitNPROC= is used without User= we should warn and refuse
+ operation.
+ - journalctl --verify: don't show files that are currently being
+ written to as FAIL, but instead show that their are being written to.
+ - add journalctl -H that talks via ssh to a remote peer and passes through
+ binary logs data
+ - add a version of --merge which also merges /var/log/journal/remote
+ - journalctl: -m should access container journals directly by enumerating
+ them via machined, and also watch containers coming and going.
+ Benefit: nspawn --ephemeral would start working nicely with the journal.
+ - assign MESSAGE_ID to log messages about failed services
+ - check if loop in decompress_blob_xz() is necessary
+
+* journald: support RFC3164 fully for the incoming syslog transport, see
+ https://github.com/systemd/systemd/issues/19251#issuecomment-816601955
+
+* Hook up journald's FSS logic with TPM2: seal the verification disk by
+ time-based policy, so that the verification key can remain on host and ve
+ validated via TPM.
+
+* build short web pages out of each catalog entry, build them along with man
+ pages, and include hyperlinks to them in the journal output
+
+* journald: do journal file writing out-of-process, with one writer process per
+ client UID, so that synthetic hash table collisions can slow down a specific
+ user's journal stream down but not the others.
+
+* tweak journald context caching. In addition to caching per-process attributes
+ keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
+ keyed by cgroup path, and guarded by ctime changes. This should provide us
+ with a nice speed-up on services that have many processes running in the same
+ cgroup.
+
+* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
+ the sd-journal logging socket, and, if the timeout is set to 0, sets
+ O_NONBLOCK on it. That way people can control if and when to block for
+ logging.
+
+* journalctl: make sure -f ends when the container indicated by -M terminates
+
+* journald: sigbus API via a signal-handler safe function that people may call
+ from the SIGBUS handler
+
+* add a test if all entries in the catalog are properly formatted.
+ (Adding dashes in a catalog entry currently results in the catalog entry
+ being silently skipped. journalctl --update-catalog must warn about this,
+ and we should also have a unit test to check that all our message are OK.)
+
+* homed:
+ - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
+ - rollback when resize fails mid-operation
+ - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
+ - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
+ - create on activate?
+ - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
+ - communicate clearly when usb stick is safe to remove. probably involves
+ beefing up logind to make pam session close hook synchronous and wait until
+ systemd --user is shut down.
+ - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
+ - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
+ images (and btrfs snapshots of subvolumes) (think: time machine)
+ - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
+ - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
+ - fingerprint authentication, pattern authentication, …
+ - make sure "classic" user records can also be managed by homed
+ - make size of $XDG_RUNTIME_DIR configurable in user record
+ - query password from kernel keyring first
+ - update even if record is "absent"
+ - move acct mgmt stuff from pam_systemd_home to pam_systemd?
+ - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
+ - make slice for users configurable (requires logind rework)
+ - logind: populate auto-login list bus property from PKCS#11 token
+ - when determining state of a LUKS home directory, check DM suspended sysfs file
+ - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
+ so that mounts propagate down but not up - eg, user A setting up a backup volume
+ doesn't mean user B sees it
+ - use credentials logic/TPM2 logic to store homed signing key
+ - permit multiple user record signing keys to be used locally, and pick
+ the right one for signing records automatically depending on a pre-existing
+ signature
+ - add a way to "adopt" a home directory, i.e. strip foreign signatures
+ and insert a local signature instead.
+ - as an extension to the directory+subvolume backend: if located on
+ especially marked fs, then sync down password into LUKS header of that fs,
+ and always verify passwords against it too. Bootstrapping is a problem
+ though: if no one is logged in (or no other user even exists yet), how do you
+ unlock the volume in order to create the first user and add the first pw.
+ - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+ - maybe pre-create ~/.cache as subvol so that it can have separate quota
+ easily?
+ - add a switch to homectl (maybe called --first-boot) where it will check if
+ any non-system users exist, and if not prompts interactively for basic user
+ info, mimicking systemd-firstboot. Then, place this in a service that runs
+ after systemd-homed, but before gdm and friends, as a simple, barebones
+ fallback logic to get a regular user created on uninitialized systems.
+ - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
+ systemd-cryptsetup, so that it can unlock homed volumes
+ - maybe make all *.home files owned by `systemd-home` user or so, so that we
+ can easily set overall quota for all users
+ - on login, if we can't fallocate initially, but rebalance is on, then allow
+ login in discard mode, then immediately rebalance, then turn off discard
+ - extend user records with optional "bulk" data. Specifically, a user
+ avatar/photo or so. This data should be stored along with the user record,
+ but probably shouldn't be part of the record itself, since it might be
+ large.
+
+* add a new switch --auto-definitions=yes/no or so to systemd-repart. If
+ specified, synthesize a definition automatically if we can: enlarge last
+ partition on disk, but only if it is marked for growing and not read-only.
+
+* systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY
+
+* systemd-repart: add a switch to factory reset the partition table without
+ immediately applying the new configuration again. i.e. --factory-reset=leave
+ or so. (this is useful to factory reset an image, then putting it into
+ another machine, ensuring that luks key is generated on new machine, not old)
+
+* systemd-repart: support setting up dm-integrity with HMAC
+
+* systemd-repart: maybe remove half-initialized image on failure. It fails
+ if the output file exists, so a repeated invocation will usually fail if
+ something goes wrong on the way.
+
+* systemd-repart: drop pager mode on normal operation?
+
+* systemd-repart: by default generate minimized partition tables (i.e. tables
+ that only cover the space actually used, excluding any free space at the
+ end), in order to maximize dd'ability. Requires libfdisk work, see
+ https://github.com/karelzak/util-linux/issues/907
+
+* systemd-repart: MBR partition table support. Care needs to be taken regarding
+ Type=, so that partition definitions can sanely apply to both the GPT and the
+ MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
+ for the two partition types explicitly. And provide an internal mapping so
+ that "Type=linux-generic" maps to the right types for both partition tables
+ automatically.
+
+* systemd-repart: allow sizing partitions as factor of available RAM, so that
+ we can reasonably size swap partitions for hibernation.
+
+* systemd-repart: allow boolean option that ensures that if existing partition
+ doesn't exist within the configured size bounds the whole command fails. This
+ is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
+ of repart files for the case where ESP is large enough and one where it isn't
+ and XBOOTLDR is added in instead. Then apply the former first, and if it
+ fails to apply use the latter.
+
+* systemd-repart: add per-partition option to never reuse existing partition
+ and always create anew even if matching partition already exists.
+
+* systemd-repart: add per-partition option to fail if partition already exist,
+ i.e. is not added new. Similar, add option to fail if partition does not exist yet.
+
+* systemd-repart: allow disabling growing of specific partitions, or making
+ them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
+ Also add option to disable operation via kernel command line.
+
+* systemd-repart: make it a static checker during early boot for existence and
+ absence of other partitions for trusted boot environments
+
+* systemd-repart: add support for SD_GPT_FLAG_GROWFS also on real systems, i.e.
+ generate some unit to actually enlarge the fs after growing the partition
+ during boot.
+
+* systemd-repart: do not print "Successfully resized …" when no change was done.
+
+* document:
+ - document that deps in [Unit] sections ignore Alias= fields in
+ [Install] units of other units, unless those units are disabled
+ - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
+ - document that service reload may be implemented as service reexec
+ - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
+ - document systemd-journal-flush.service properly
+ - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
+ - man: document the very specific env the shutdown drop-in tools live in
+ - man: add more examples to man pages,
+ - in particular an example how to do the equivalent of switching runlevels
+ - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
+ - document root=gpt-auto properly
+
+* systemctl:
+ - add systemctl switch to dump transaction without executing it
+ - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
+ - "systemctl disable" on a static unit prints no message and does
+ nothing. "systemctl enable" does nothing, and gives a bad message
+ about it. Should fix both to print nice actionable messages.
+ - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
+ - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
+ - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
+ - systemctl: "Journal has been rotated since unit was started." message is misleading
+ - systemctl status output should include list of triggering units and their status
+
+* introduce an option (or replacement) for "systemctl show" that outputs all
+ properties as JSON, similar to busctl's new JSON output. In contrast to that
+ it should skip the variant type string though.
+
+* add an explicit "vertical" mode to format-table, so that "systemctl
+ status"-like outputs (i.e. with a series of field names left and values
+ right) become genuine first class citizens, and we gain automatic, sane JSON
+ output for them.
+
+* Add a "systemctl list-units --by-slice" mode or so, which rearranges the
+ output of "systemctl list-units" slightly by showing the tree structure of
+ the slices, and the units attached to them.
+
+* add "systemctl wait" or so, which does what "systemd-run --wait" does, but
+ for all units. It should be both a way to pin units into memory as well as a
+ wait to retrieve their exit data.
+
+* show whether a service has out-of-date configuration in "systemctl status" by
+ using mtime data of ConfigurationDirectory=.
+
+* "systemctl preset-all" should probably order the unit files it
+ operates on lexicographically before starting to work, in order to
+ ensure deterministic behaviour if two unit files conflict (like DMs
+ do, for example)
+
+* add "systemctl start -v foobar.service" that shows logs of a service
+ while the start command runs. This is non-trivial to do without
+ races though, since we should flush out all journal messages before
+ returning from the "systemctl stop".
+
+* systemctl: if some operation fails, show log output?
+
+* Add a new verb "systemctl top"
+
+* unit install:
+ - "systemctl mask" should find all names by which a unit is accessible
+ (i.e. by scanning for symlinks to it) and link them all to /dev/null
+
+* nspawn:
+ - emulate /dev/kmsg using CUSE and turn off the syslog syscall
+ with seccomp. That should provide us with a useful log buffer that
+ systemd can log to during early boot, and disconnect container logs
+ from the kernel's logs.
+ - as soon as networkd has a bus interface, hook up --network-interface=,
+ --network-bridge= with networkd, to trigger netdev creation should an
+ interface be missing
+ - a nice way to boot up without machine id set, so that it is set at boot
+ automatically for supporting --ephemeral. Maybe hash the host machine id
+ together with the machine name to generate the machine id for the container
+ - fix logic always print a final newline on output.
+ https://github.com/systemd/systemd/pull/272#issuecomment-113153176
+ - should optionally support receiving WATCHDOG=1 messages from its payload
+ PID 1...
+ - optionally automatically add FORWARD rules to iptables whenever nspawn is
+ running, remove them when shut down.
+
+* nspawn: add support for sysext extensions, too. i.e. a new --extension=
+ switch that takes one or more arguments, and applies the extensions already
+ during startup.
+
+* when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
+ so, freeze the payload too.
+
+* machined: add API to acquire UID range. add API to mount/dissect loopback
+ file. Both protected by PK. Then make nspawn use these APIs to run
+ unprivileged containers. i.e. push the truly privileged bits into machined,
+ so that the client side can remain entirely unprivileged, with SUID or
+ anything like that.
+
+* nspawn: support time namespaces
+
+* nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
+ so that we make cgroup agent logic safe
+
+* nspawn/machined: add API to invoke binary in container, then use that as
+ fallback in "machinectl shell"
+
+* nspawn: make nspawn suitable for shell pipelines: instead of triggering a
+ hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
+ for hangup or ^D before passing on the EOF.
+
+* nspawn: greater control over selinux label?
+
+* nspawn: support that /proc, /sys/, /dev are pre-mounted
+
+* machined:
+ - add an API so that libvirt-lxc can inform us about network interfaces being
+ removed or added to an existing machine
+ - "machinectl migrate" or similar to copy a container from or to a
+ difference host, via ssh
+ - introduce systemd-nspawn-ephemeral@.service, and hook it into
+ "machinectl start" with a new --ephemeral switch
+ - "machinectl status" should also show internal logs of the container in
+ question
+ - "machinectl history"
+ - "machinectl diff"
+ - "machinectl commit" that takes a writable snapshot of a tree, invokes a
+ shell in it, and marks it read-only after use
+
+* udev:
+ - move to LGPL
+ - kill scsi_id
+ - add trigger --subsystem-match=usb/usb_device device
+ - reimport udev db after MOVE events for devices without dev_t
+ - re-enable ProtectClock= once only cgroupsv2 is supported.
+ See f562abe2963bad241d34e0b308e48cf114672c84.
+
+* coredump:
+ - save coredump in Windows/Mozilla minidump format
+ - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
+ - add examples for other distros in ELF_PACKAGE_METADATA
+
+* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
+
+* tmpfiles:
+ - apply "x" on "D" too (see patch from William Douglas)
+ - instead of ignoring unknown fields, reject them.
+ - creating new directories/subvolumes/fifos/device nodes
+ should not follow symlinks. None of the other adjustment or creation
+ calls follow symlinks.
+ - add --test mode
+ - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
+ project quota
+ - teach tmpfiles.d m/M to move / atomic move + symlink old -> new
+
+* udev-link-config:
+ - Make sure ID_PATH is always exported and complete for
+ network devices where possible, so we can safely rely
+ on Path= matching
+
+* sd-rtnl:
+ - add support for more attribute types
+ - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
+
+* networkd:
+ - add more keys to [Route] and [Address] sections
+ - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
+ - add reduced [Link] support to .network files
+ - properly handle routerless dhcp leases
+ - work with non-Ethernet devices
+ - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
+ - the DHCP lease data (such as NTP/DNS) is still made available when
+ a carrier is lost on a link. It should be removed instantly.
+ - expose in the API the following bits:
+ - option 15, domain name
+ - option 12, hostname and/or option 81, fqdn
+ - option 123, 144, geolocation
+ - option 252, configure http proxy (PAC/wpad)
+ - provide a way to define a per-network interface default metric value
+ for all routes to it. possibly a second default for DHCP routes.
+ - allow Name= to be specified repeatedly in the [Match] section. Maybe also
+ support Name=foo*|bar*|baz ?
+ - whenever uplink info changes, make DHCP server send out FORCERENEW
+
+* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
+
+* Figure out how to do unittests of networkd's state serialization
+
+* dhcp:
+ - figure out how much we can increase Maximum Message Size
+
+* dhcp6:
+ - add functions to set previously stored IPv6 addresses on startup and get
+ them at shutdown; store them in client->ia_na
+ - write more test cases
+ - implement reconfigure support, see 5.3., 15.11. and 22.20.
+ - implement support for temporary adressess (IA_TA)
+ - implement dhcpv6 authentication
+ - investigate the usefulness of Confirm messages; i.e. are there any
+ situations where the link changes without any loss in carrier detection
+ or interface down
+ - some servers don't do rapid commit without a filled in IA_NA, verify
+ this behavior
+ - RouteTable= ?
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-05 07:11:06 +0000