diff --git a/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch b/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch
new file mode 100644
index 0000000..c13413c
--- /dev/null
+++ b/SOURCES/0001-Do-not-assert-in-test_add_acls_for_user.patch
@@ -0,0 +1,42 @@
+From b177b0ef92d226a9f303aecbff0cf2e7293667b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 8 Aug 2020 09:21:37 +0200
+Subject: [PATCH] Do not assert in test_add_acls_for_user()
+
+This is failing on s390x with:
+/* test_add_acls_for_user */
+add_acls_for_user(3, 1000): Invalid argument
+Assertion 'r >= 0' failed at src/test/test-acl-util.c:46, function test_add_acls_for_user(). Aborting.
+---
+ src/test/test-acl-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
+index 9f0e594e67..a91d64ab0c 100644
+--- a/src/test/test-acl-util.c
++++ b/src/test/test-acl-util.c
+@@ -43,24 +43,20 @@ static void test_add_acls_for_user(void) {
+ 
+         r = add_acls_for_user(fd, uid);
+         log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);
+-        assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);
+         assert_se(system(cmd) == 0);
+ 
+         cmd = strjoina("getfacl -p ", fn);
+-        assert_se(system(cmd) == 0);
+ 
+         /* set the acls again */
+ 
+         r = add_acls_for_user(fd, uid);
+-        assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);
+         assert_se(system(cmd) == 0);
+ 
+         cmd = strjoina("getfacl -p ", fn);
+-        assert_se(system(cmd) == 0);
+ 
+         unlink(fn);
+ }
diff --git a/SOURCES/0001-Revert-test-path-increase-timeout.patch b/SOURCES/0001-Revert-test-path-increase-timeout.patch
new file mode 100644
index 0000000..a9c226f
--- /dev/null
+++ b/SOURCES/0001-Revert-test-path-increase-timeout.patch
@@ -0,0 +1,30 @@
+From a73d30081a13eaeffce87f997726a179ec44d817 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 31 Jul 2020 10:50:37 +0200
+Subject: [PATCH 1/2] Revert "test-path: increase timeout"
+
+This partially reverts commit 500727c220354b81b68ed6667d9a6f0fafe3ba19.
+
+I was confused by the error message: the test says it timed out, but that's
+because it's waiting for a failed unit to come back to life. There is no actual
+timeout.
+
+So let's keep the minor refactoring that was done, but revert to the old short
+timeout.
+---
+ src/test/test-path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/test/test-path.c b/src/test/test-path.c
+index 1075f31bc6..63b709c8da 100644
+--- a/src/test/test-path.c
++++ b/src/test/test-path.c
+@@ -82,7 +82,7 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat
+         assert_se(m);
+         assert_se(service);
+ 
+-        usec_t end = now(CLOCK_MONOTONIC) + 30 * USEC_PER_SEC;
++        usec_t end = now(CLOCK_MONOTONIC) + 2 * USEC_PER_SEC;
+ 
+         while (path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS ||
+                path->state != path_state || service->state != service_state) {
diff --git a/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch b/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch
new file mode 100644
index 0000000..ed3536b
--- /dev/null
+++ b/SOURCES/0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch
@@ -0,0 +1,427 @@
+From a1ff72565c2f12b644a081ebbe3492f93ceb3bd5 Mon Sep 17 00:00:00 2001
+From: Chris Down <chris@chrisdown.name>
+Date: Thu, 29 Oct 2020 12:03:52 +0000
+Subject: [PATCH 1/3] bpf: pid1: Pin reference to BPF programs for
+ post-coldplug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+During `daemon-reload` and `daemon-reexec`, we detach and reattach all
+BPF programs attached to cgroups. This, however, poses a real practical
+problem for DevicePolicy (and some other settings using BPF): it
+presents a period of time where the old device filtering BPF program has
+been unloaded, but the new one has not been loaded yet.
+
+Since the filtering is at open() time, it has become apparent that that
+there's a non-trivial period where applications inside that ostensibly
+filtered cgroup can grab any device -- and often do so -- and then
+retain access to that device even after the reload is over. Due to the
+file continuing to be available after the initial open(), this issue is
+particularly visible for DevicePolicy={strict,closed}, however it also
+applies to other BPF programs we install.
+
+In particular, for BPF ingress/egress filtering this may have more
+concerning implications: network traffic which is supposed to be
+filtered will -- for a very brief period of time -- not be filtered or
+subject to any restrictions imposed by BPF.
+
+These BPF programs are fundamentally attached to a cgroup lifetime, not
+our unit lifetime, so it's enough to pin these programs by taking a
+reference to affected BPF programs before reload/reexec. We can then
+serialise the program's kernel-facing FD and cgroup attachment FD for
+the new daemon, and have the daemon on the other side unpin the programs
+after it's finished with coldplug.
+
+That means that, for example, the BPF program lifecycle during
+daemon-reload or daemon-reexec changes from this:
+
+    manager_clear_jobs_and_units
+                 │
+          ╔══════╪═════════╤═══════╗
+          ║ prog │ no prog │ prog' ║
+          ╚══════╧═════════╪═══════╝
+                           │
+                    manager_coldplug
+
+to this:
+
+    manager_clear_jobs_and_units         manager_dispatch_cgroup_realize_queue
+                 │                                       │
+          ╔══════╪═══════════════╤═══════════════════════╪═══════╗
+          ║ prog │ prog (orphan) │ prog (orphan) + prog' │ prog' ║
+          ╚══════╧═══════════════╪═══════════════════════╧═══════╝
+                                 │
+                          manager_coldplug
+
+For daemon-reexec the semantics are mostly the same, but the point at
+which the program becomes orphan is tied to the process lifecycle
+instead.
+
+None of the BPF programs we install require exclusive access, so having
+multiple instances of them running at the same time is fine. Custom
+programs, of course, are unknown, but it's hard to imagine legitimate
+cases which should be affected, whereas the benefits of this "overlap"
+approach with reference pinning is immediately tangible.
+
+[keszybz: use _cleanup_ for unpin, use FOREACH_POINTER]
+---
+ src/core/bpf-firewall.c  |   9 +--
+ src/core/main.c          |   9 +++
+ src/core/manager.c       | 163 ++++++++++++++++++++++++++++++++++++++-
+ src/core/manager.h       |   6 ++
+ src/shared/bpf-program.c |  10 +++
+ src/shared/bpf-program.h |   1 +
+ 6 files changed, 191 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
+index bceb049b58..e3089ff6f4 100644
+--- a/src/core/bpf-firewall.c
++++ b/src/core/bpf-firewall.c
+@@ -703,8 +703,7 @@ int bpf_firewall_install(Unit *u) {
+         if (r < 0)
+                 return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
+ 
+-        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
+-                 (u->type == UNIT_SLICE || unit_cgroup_delegate(u))) ? BPF_F_ALLOW_MULTI : 0;
++        flags = (supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI) ? BPF_F_ALLOW_MULTI : 0;
+ 
+         /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program, to
+          * minimize the time window when we don't account for IP traffic. */
+@@ -712,8 +711,7 @@ int bpf_firewall_install(Unit *u) {
+         u->ip_bpf_ingress_installed = bpf_program_unref(u->ip_bpf_ingress_installed);
+ 
+         if (u->ip_bpf_egress) {
+-                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path,
+-                                              flags | (set_isempty(u->ip_bpf_custom_egress) ? 0 : BPF_F_ALLOW_MULTI));
++                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
+                 if (r < 0)
+                         return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
+ 
+@@ -722,8 +720,7 @@ int bpf_firewall_install(Unit *u) {
+         }
+ 
+         if (u->ip_bpf_ingress) {
+-                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path,
+-                                              flags | (set_isempty(u->ip_bpf_custom_ingress) ? 0 : BPF_F_ALLOW_MULTI));
++                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
+                 if (r < 0)
+                         return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
+ 
+diff --git a/src/core/main.c b/src/core/main.c
+index 4a376976e9..9873f35f5e 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -1144,6 +1144,14 @@ static int prepare_reexecute(
+         if (!fds)
+                 return log_oom();
+ 
++        /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF
++         * program is active during task execution within a cgroup. This would be bad since this may have
++         * security or reliability implications: devices we should filter won't be filtered, network activity
++         * we should filter won't be filtered, etc. We pin all the existing devices by bumping their
++         * refcount, and then storing them to later have it decremented. */
++        _cleanup_(manager_unpin_all_cgroup_bpf_programsp) Manager *m_unpin =
++                manager_pin_all_cgroup_bpf_programs(m);
++
+         r = manager_serialize(m, f, fds, switching_root);
+         if (r < 0)
+                 return r;
+@@ -1159,6 +1167,7 @@ static int prepare_reexecute(
+         if (r < 0)
+                 return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m");
+ 
++        TAKE_PTR(m_unpin);
+         *ret_f = TAKE_PTR(f);
+         *ret_fds = TAKE_PTR(fds);
+ 
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 41e0d73736..1ce0e05706 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -64,6 +64,7 @@
+ #include "rlimit-util.h"
+ #include "rm-rf.h"
+ #include "serialize.h"
++#include "set.h"
+ #include "signal-util.h"
+ #include "socket-util.h"
+ #include "special.h"
+@@ -3210,6 +3211,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) {
+         manager_serialize_uid_refs_internal(m, f, &m->gid_refs, "destroy-ipc-gid");
+ }
+ 
++static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) {
++        int copy;
++        _cleanup_free_ char *ap = NULL;
++
++        /* We don't actually need the instructions or other data, since this is only used on the other side
++         * for BPF limbo, which just requires the program type, cgroup path, and kernel-facing BPF file
++         * descriptor. We don't even need to know what unit or directive it's attached to, since we're just
++         * going to expire it after coldplug. */
++
++        assert(f);
++        assert(p);
++
++        /* If the program isn't attached to the kernel yet, there's no reason to serialise it for limbo. Just
++         * let it be skeletonized and then coldplug can do the work on the other side if it's still
++         * necessary. */
++        if (p->kernel_fd < 0 || !p->attached_path)
++                return -ENOTCONN;
++
++        copy = fdset_put_dup(fds, p->kernel_fd);
++        if (copy < 0)
++                return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m");
++
++        /* Otherwise, on daemon-reload, we'd remain pinned. */
++        safe_close(p->kernel_fd);
++
++        ap = cescape(p->attached_path);
++        if (!ap)
++                return log_oom();
++
++        return serialize_item_format(f, "bpf-limbo", "%i %i %i \"%s\"",
++                                     copy, p->prog_type, p->attached_type, ap);
++}
++
++static void deserialize_limbo_bpf_program(Manager *m, FDSet *fds, const char *value) {
++        _cleanup_free_ char *raw_fd = NULL, *raw_pt = NULL, *raw_at = NULL, *cgpath = NULL;
++        int fd, r, prog_type, attached_type;
++
++        assert(m);
++        assert(value);
++
++        r = extract_first_word(&value, &raw_fd, NULL, 0);
++        if (r <= 0 || safe_atoi(raw_fd, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd))
++                return (void) log_error("Failed to parse bpf-limbo FD: %s", value);
++
++        r = extract_first_word(&value, &raw_pt, NULL, 0);
++        if (r <= 0 || safe_atoi(raw_pt, &prog_type) < 0)
++                return (void) log_error("Failed to parse bpf-limbo program type: %s", value);
++
++        r = extract_first_word(&value, &raw_at, NULL, 0);
++        if (r <= 0 || safe_atoi(raw_at, &attached_type) < 0)
++                return (void) log_error("Failed to parse bpf-limbo attached type: %s", value);
++
++        r = extract_first_word(&value, &cgpath, NULL, EXTRACT_CUNESCAPE | EXTRACT_UNQUOTE);
++        if (r <= 0)
++                return (void) log_error("Failed to parse attached path for BPF limbo FD %s", value);
++
++        _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL;
++        r = bpf_program_new(prog_type, &p);
++        if (r < 0)
++                return (void) log_error_errno(r, "Failed to create BPF limbo program: %m");
++
++        /* Just enough to free it when the time is right, this does not have enough information be used as a
++         * real BPFProgram. */
++        p->attached_type = attached_type;
++        p->kernel_fd = fdset_remove(fds, fd);
++        p->attached_path = TAKE_PTR(cgpath);
++
++        r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);
++        if (r < 0)
++                return (void) log_error_errno(r, "Failed to register BPF limbo program for FD %s: %m", value);
++        TAKE_PTR(p);
++}
++
+ int manager_serialize(
+                 Manager *m,
+                 FILE *f,
+@@ -3221,6 +3295,7 @@ int manager_serialize(
+         Iterator i;
+         Unit *u;
+         int r;
++        BPFProgram *p;
+ 
+         assert(m);
+         assert(f);
+@@ -3265,6 +3340,9 @@ int manager_serialize(
+                 (void) serialize_dual_timestamp(f, joined, m->timestamps + q);
+         }
+ 
++        SET_FOREACH(p, m->bpf_limbo_progs, i)
++                (void) serialize_limbo_bpf_program(f, fds, p);
++
+         if (!switching_root)
+                 (void) serialize_strv(f, "env", m->client_environment);
+ 
+@@ -3543,7 +3621,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
+                         else
+                                 m->n_failed_jobs += n;
+ 
+-                } else if ((val = startswith(l, "taint-usr="))) {
++                } else if ((val = startswith(l, "bpf-limbo=")))
++                        deserialize_limbo_bpf_program(m, fds, val);
++
++                else if ((val = startswith(l, "taint-usr="))) {
+                         int b;
+ 
+                         b = parse_boolean(val);
+@@ -3719,6 +3800,67 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
+         return manager_deserialize_units(m, f, fds);
+ }
+ 
++Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) {
++        int r;
++        Unit *u;
++        Iterator ih, is;
++
++        assert(m);
++
++        HASHMAP_FOREACH(u, m->units, ih) {
++                BPFProgram *p;
++
++                FOREACH_POINTER(p,
++                                u->bpf_device_control_installed,
++                                u->ip_bpf_ingress,
++                                u->ip_bpf_ingress_installed,
++                                u->ip_bpf_egress,
++                                u->ip_bpf_egress_installed)
++                        if (p) {
++                                r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);
++                                if (r < 0) {
++                                        log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m");
++                                        continue;
++                                }
++
++                                bpf_program_ref(p);
++                        }
++
++                Set *s;
++                FOREACH_POINTER(s,
++                                u->ip_bpf_custom_ingress,
++                                u->ip_bpf_custom_ingress_installed,
++                                u->ip_bpf_custom_egress,
++                                u->ip_bpf_custom_egress_installed)
++                        SET_FOREACH(p, s, is) {
++                                r = set_ensure_put(&m->bpf_limbo_progs, NULL, p);
++                                if (r < 0) {
++                                        log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m");
++                                        continue;
++                                }
++
++                                bpf_program_ref(p);
++                        }
++        }
++
++        log_debug("Pinned %d BPF programs", set_size(m->bpf_limbo_progs));
++
++        return m;
++}
++
++static void manager_skeletonize_all_cgroup_bpf_programs(Manager *m) {
++        BPFProgram *p;
++        Iterator i;
++
++        SET_FOREACH(p, m->bpf_limbo_progs, i)
++                bpf_program_skeletonize(p);
++}
++
++void manager_unpin_all_cgroup_bpf_programs(Manager *m) {
++        log_debug("Unpinning %d BPF programs", set_size(m->bpf_limbo_progs));
++        set_clear_with_destructor(m->bpf_limbo_progs, bpf_program_unref);
++}
++
+ int manager_reload(Manager *m) {
+         _cleanup_(manager_reloading_stopp) Manager *reloading = NULL;
+         _cleanup_fdset_free_ FDSet *fds = NULL;
+@@ -3738,6 +3880,13 @@ int manager_reload(Manager *m) {
+         /* We are officially in reload mode from here on. */
+         reloading = manager_reloading_start(m);
+ 
++        /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF
++         * program is active during task execution within a cgroup. This would be bad since this may have
++         * security or reliability implications: devices we should filter won't be filtered, network activity
++         * we should filter won't be filtered, etc. We pin all the existing devices by bumping their
++         * refcount, and then storing them to later have it decremented. */
++        (void) manager_pin_all_cgroup_bpf_programs(m);
++
+         r = manager_serialize(m, f, fds, false);
+         if (r < 0)
+                 return r;
+@@ -3762,6 +3911,12 @@ int manager_reload(Manager *m) {
+         m->uid_refs = hashmap_free(m->uid_refs);
+         m->gid_refs = hashmap_free(m->gid_refs);
+ 
++        /* The only canonical reference left to the dynamically allocated parts of these BPF programs is
++         * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The
++         * program itself will be detached as part of manager_vacuum. */
++        manager_skeletonize_all_cgroup_bpf_programs(m);
++        m->bpf_limbo_progs = set_free(m->bpf_limbo_progs);
++
+         r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);
+         if (r < 0)
+                 log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m");
+@@ -4700,6 +4855,12 @@ static void manager_vacuum(Manager *m) {
+ 
+         /* Release any runtimes no longer referenced */
+         exec_runtime_vacuum(m);
++
++        /* Release any outmoded BPF programs that were deserialized from the previous manager, since new ones
++         * should be in action now. We first need to make sure all entries in the cgroup realize queue are
++         * complete, otherwise BPF firewalls/etc may not have been set up yet. */
++        (void) manager_dispatch_cgroup_realize_queue(m);
++        manager_unpin_all_cgroup_bpf_programs(m);
+ }
+ 
+ int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
+diff --git a/src/core/manager.h b/src/core/manager.h
+index 81b0c13a95..6f8f8b04b4 100644
+--- a/src/core/manager.h
++++ b/src/core/manager.h
+@@ -433,6 +433,8 @@ struct Manager {
+         bool honor_device_enumeration;
+ 
+         VarlinkServer *varlink_server;
++
++        Set *bpf_limbo_progs;
+ };
+ 
+ static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
+@@ -474,6 +476,10 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode
+ int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs,  Job **ret);
+ int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e);
+ 
++Manager* manager_pin_all_cgroup_bpf_programs(Manager *m);
++void manager_unpin_all_cgroup_bpf_programs(Manager *m);
++DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_unpin_all_cgroup_bpf_programs);
++
+ void manager_dump_units(Manager *s, FILE *f, const char *prefix);
+ void manager_dump_jobs(Manager *s, FILE *f, const char *prefix);
+ void manager_dump(Manager *s, FILE *f, const char *prefix);
+diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c
+index e5c9df4004..cc479aa52e 100644
+--- a/src/shared/bpf-program.c
++++ b/src/shared/bpf-program.c
+@@ -210,6 +210,16 @@ int bpf_program_cgroup_detach(BPFProgram *p) {
+         return 0;
+ }
+ 
++void bpf_program_skeletonize(BPFProgram *p) {
++        assert(p);
++
++        /* Called shortly after serialization. From this point on, we are frozen for serialization and entry
++         * into BPF limbo, so we should proactively free our instructions and attached path. However, we
++         * shouldn't detach the program or close the kernel FD -- we need those on the other side. */
++        free(p->instructions);
++        free(p->attached_path);
++}
++
+ int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags) {
+         union bpf_attr attr = {
+                 .map_type = type,
+diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h
+index a21589eb1f..6ea5d9a57c 100644
+--- a/src/shared/bpf-program.h
++++ b/src/shared/bpf-program.h
+@@ -28,6 +28,7 @@ struct BPFProgram {
+ int bpf_program_new(uint32_t prog_type, BPFProgram **ret);
+ BPFProgram *bpf_program_unref(BPFProgram *p);
+ BPFProgram *bpf_program_ref(BPFProgram *p);
++void bpf_program_skeletonize(BPFProgram *p);
+ 
+ int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
+ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
+-- 
+2.24.1
+
diff --git a/SOURCES/0001-test-acl-util-output-more-debug-info.patch b/SOURCES/0001-test-acl-util-output-more-debug-info.patch
new file mode 100644
index 0000000..6db830f
--- /dev/null
+++ b/SOURCES/0001-test-acl-util-output-more-debug-info.patch
@@ -0,0 +1,46 @@
+From 8cad57ed62a642515670ba79dddb30193456e803 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 7 Aug 2020 18:54:37 +0200
+Subject: [PATCH] test-acl-util: output more debug info
+
+For some reason this failed in koji build on s390x:
+--- command ---
+16:12:46 PATH='/builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/kbd-model-map' /builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu/test-acl-util
+--- stdout ---
+-rw-r-----. 1 mockbuild mock 0 Aug  7 16:12 /tmp/test-empty.7RzmEc
+other::---
+--- stderr ---
+Assertion 'r >= 0' failed at src/test/test-acl-util.c:42, function test_add_acls_for_user(). Aborting.
+---
+ src/test/test-acl-util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
+index df879747f5..9f0e594e67 100644
+--- a/src/test/test-acl-util.c
++++ b/src/test/test-acl-util.c
+@@ -7,6 +7,7 @@
+ 
+ #include "acl-util.h"
+ #include "fd-util.h"
++#include "format-util.h"
+ #include "string-util.h"
+ #include "tmpfile-util.h"
+ #include "user-util.h"
+@@ -18,6 +19,8 @@ static void test_add_acls_for_user(void) {
+         uid_t uid;
+         int r;
+ 
++        log_info("/* %s */", __func__);
++
+         fd = mkostemp_safe(fn);
+         assert_se(fd >= 0);
+ 
+@@ -39,6 +42,7 @@ static void test_add_acls_for_user(void) {
+                 uid = getuid();
+ 
+         r = add_acls_for_user(fd, uid);
++        log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);
+         assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);
diff --git a/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch b/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch
new file mode 100644
index 0000000..d2a5150
--- /dev/null
+++ b/SOURCES/0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch
@@ -0,0 +1,124 @@
+From b554f941a8f275124508794b0b83f0554c7b84dc Mon Sep 17 00:00:00 2001
+From: Anita Zhang <the.anitazha@gmail.com>
+Date: Thu, 22 Oct 2020 22:44:22 -0700
+Subject: [PATCH 2/3] core: clean up inactive/failed {service|scope}'s cgroups
+ when the last process exits
+
+If processes remain in the unit's cgroup after the final SIGKILL is
+sent and the unit has exceeded stop timeout, don't release the unit's
+cgroup information. Pid1 will have failed to `rmdir` the cgroup path due
+to processes remaining in the cgroup and releasing would leave the cgroup
+path on the file system with no tracking for pid1 to clean it up.
+
+Instead, keep the information around until the last process exits and pid1
+sends the cgroup empty notification. The service/scope can then prune
+the cgroup if the unit is inactive/failed.
+---
+ src/core/cgroup.c  | 26 +++++++++++++++++++++++++-
+ src/core/cgroup.h  |  6 +++++-
+ src/core/scope.c   |  5 +++++
+ src/core/service.c |  7 +++++++
+ 4 files changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/cgroup.c b/src/core/cgroup.c
+index 031b28a684..bce5f44e78 100644
+--- a/src/core/cgroup.c
++++ b/src/core/cgroup.c
+@@ -2414,6 +2414,29 @@ void unit_release_cgroup(Unit *u) {
+         }
+ }
+ 
++bool unit_maybe_release_cgroup(Unit *u) {
++        int r;
++
++        assert(u);
++
++        if (!u->cgroup_path)
++                return true;
++
++        /* Don't release the cgroup if there are still processes under it. If we get notified later when all the
++         * processes exit (e.g. the processes were in D-state and exited after the unit was marked as failed)
++         * we need the cgroup paths to continue to be tracked by the manager so they can be looked up and cleaned
++         * up later. */
++        r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path);
++        if (r < 0)
++                log_unit_debug_errno(u, r, "Error checking if the cgroup is recursively empty, ignoring: %m");
++        else if (r == 1) {
++                unit_release_cgroup(u);
++                return true;
++        }
++
++        return false;
++}
++
+ void unit_prune_cgroup(Unit *u) {
+         int r;
+         bool is_root_slice;
+@@ -2441,7 +2464,8 @@ void unit_prune_cgroup(Unit *u) {
+         if (is_root_slice)
+                 return;
+ 
+-        unit_release_cgroup(u);
++        if (!unit_maybe_release_cgroup(u)) /* Returns true if the cgroup was released */
++                return;
+ 
+         u->cgroup_realized = false;
+         u->cgroup_realized_mask = 0;
+diff --git a/src/core/cgroup.h b/src/core/cgroup.h
+index 52d028e740..be6856c20c 100644
+--- a/src/core/cgroup.h
++++ b/src/core/cgroup.h
+@@ -220,11 +220,15 @@ int unit_set_cgroup_path(Unit *u, const char *path);
+ int unit_pick_cgroup_path(Unit *u);
+ 
+ int unit_realize_cgroup(Unit *u);
+-void unit_release_cgroup(Unit *u);
+ void unit_prune_cgroup(Unit *u);
+ int unit_watch_cgroup(Unit *u);
+ int unit_watch_cgroup_memory(Unit *u);
+ 
++void unit_release_cgroup(Unit *u);
++/* Releases the cgroup only if it is recursively empty.
++ * Returns true if the cgroup was released, false otherwise. */
++bool unit_maybe_release_cgroup(Unit *u);
++
+ void unit_add_to_cgroup_empty_queue(Unit *u);
+ int unit_check_oom(Unit *u);
+ 
+diff --git a/src/core/scope.c b/src/core/scope.c
+index 42c51b0865..ffee783a4c 100644
+--- a/src/core/scope.c
++++ b/src/core/scope.c
+@@ -487,6 +487,11 @@ static void scope_notify_cgroup_empty_event(Unit *u) {
+ 
+         if (IN_SET(s->state, SCOPE_RUNNING, SCOPE_ABANDONED, SCOPE_STOP_SIGTERM, SCOPE_STOP_SIGKILL))
+                 scope_enter_dead(s, SCOPE_SUCCESS);
++
++        /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean
++         * up the cgroup earlier and should do it now. */
++        if (IN_SET(s->state, SCOPE_DEAD, SCOPE_FAILED))
++                unit_prune_cgroup(u);
+ }
+ 
+ static void scope_sigchld_event(Unit *u, pid_t pid, int code, int status) {
+diff --git a/src/core/service.c b/src/core/service.c
+index 00e61945ba..db8f596ca6 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -3334,6 +3334,13 @@ static void service_notify_cgroup_empty_event(Unit *u) {
+ 
+                 break;
+ 
++        /* If the cgroup empty notification comes when the unit is not active, we must have failed to clean
++         * up the cgroup earlier and should do it now. */
++        case SERVICE_DEAD:
++        case SERVICE_FAILED:
++                unit_prune_cgroup(u);
++                break;
++
+         default:
+                 ;
+         }
+-- 
+2.24.1
+
diff --git a/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch b/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch
new file mode 100644
index 0000000..c285891
--- /dev/null
+++ b/SOURCES/0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch
@@ -0,0 +1,53 @@
+From a2deeaeaa90d493ef8a2b20656745cd0531a1b30 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 31 Jul 2020 10:36:57 +0200
+Subject: [PATCH 2/2] test-path: do not fail the test if we fail to start some
+ service
+
+The test was failing because it couldn't start the service:
+
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+Failed to connect to system bus: No such file or directory
+-.slice: Failed to enable/disable controllers on cgroup /system.slice/kojid.service, ignoring: Permission denied
+path-modified.service: Failed to create cgroup /system.slice/kojid.service/path-modified.service: Permission denied
+path-modified.service: Failed to attach to cgroup /system.slice/kojid.service/path-modified.service: No such file or directory
+path-modified.service: Failed at step CGROUP spawning /bin/true: No such file or directory
+path-modified.service: Main process exited, code=exited, status=219/CGROUP
+path-modified.service: Failed with result 'exit-code'.
+Test timeout when testing path-modified.path
+
+Let's just ignore the failure here. Services can occasionally fail to start,
+there's not much we can do in that case.
+---
+ src/test/test-path.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/test/test-path.c b/src/test/test-path.c
+index 63b709c8da..6c0db53f10 100644
+--- a/src/test/test-path.c
++++ b/src/test/test-path.c
+@@ -98,6 +98,14 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat
+                                 service_state_to_string(service->state),
+                                 service_result_to_string(service->result));
+ 
++                if (service->state == SERVICE_FAILED) {
++                        log_warning("Failed to start service %s, ignoring: %s/%s",
++                                    UNIT(service)->id,
++                                    service_state_to_string(service->state),
++                                    service_result_to_string(service->result));
++                        break;
++                }
++
+                 if (now(CLOCK_MONOTONIC) >= end) {
+                         log_error("Test timeout when testing %s", UNIT(path)->id);
+                         exit(EXIT_FAILURE);
diff --git a/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch b/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch
new file mode 100644
index 0000000..a1559c8
--- /dev/null
+++ b/SOURCES/0003-timer-add-new-feature-FixedRandomDelay.patch
@@ -0,0 +1,234 @@
+From de8f6fb530db706d14e9ece52b2acfd77c823133 Mon Sep 17 00:00:00 2001
+From: Kristijan Gjoshev <crypter@mail.com>
+Date: Sat, 1 Feb 2020 18:27:08 +0100
+Subject: [PATCH 3/3] timer: add new feature FixedRandomDelay=
+
+FixedRandomDelay=yes will use
+`siphash24(sd_id128_get_machine() || MANAGER_IS_SYSTEM(m) || getuid() || u->id)`,
+where || is concatenation, instead of a random number to choose a value between
+0 and RandomizedDelaySec= as the timer delay.
+This essentially sets up a fixed, but seemingly random, offset for each timer
+iteration rather than having a random offset recalculated each time it fires.
+
+Closes #10355
+
+Co-author: Anita Zhang <the.anitazha@gmail.com>
+---
+ docs/TRANSIENT-SETTINGS.md                    |  1 +
+ man/org.freedesktop.systemd1.xml              |  6 ++++
+ man/systemd.timer.xml                         | 12 +++++++
+ src/core/dbus-timer.c                         |  4 +++
+ src/core/timer.c                              | 34 ++++++++++++++++++-
+ src/core/timer.h                              |  1 +
+ src/shared/bus-unit-util.c                    |  3 +-
+ test/fuzz/fuzz-unit-file/directives.service   |  1 +
+ .../systemd-tmpfiles-clean.timer              |  1 +
+ 9 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/docs/TRANSIENT-SETTINGS.md b/docs/TRANSIENT-SETTINGS.md
+index 19944d08b8..f4639b2e87 100644
+--- a/docs/TRANSIENT-SETTINGS.md
++++ b/docs/TRANSIENT-SETTINGS.md
+@@ -368,6 +368,7 @@ Most timer unit settings are available to transient units.
+ ✓ RemainAfterElapse=
+ ✓ AccuracySec=
+ ✓ RandomizedDelaySec=
++✓ FixedRandomDelay=
+   Unit=
+ ```
+ 
+diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
+index 6b16ae16da..ab4cbaa2fb 100644
+--- a/man/org.freedesktop.systemd1.xml
++++ b/man/org.freedesktop.systemd1.xml
+@@ -6866,6 +6866,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer {
+       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+       readonly t RandomizedDelayUSec = ...;
+       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
++      readonly b FixedRandomDelay = ...;
++      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+       readonly b Persistent = ...;
+       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+       readonly b WakeSystem = ...;
+@@ -6891,6 +6893,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer {
+ 
+     <!--property RandomizedDelayUSec is not documented!-->
+ 
++    <!--property FixedRandomDelay is not documented!-->
++
+     <!--property Persistent is not documented!-->
+ 
+     <!--property WakeSystem is not documented!-->
+@@ -6931,6 +6935,8 @@ node /org/freedesktop/systemd1/unit/systemd_2dtmpfiles_2dclean_2etimer {
+ 
+     <variablelist class="dbus-property" generated="True" extra-ref="RandomizedDelayUSec"/>
+ 
++    <variablelist class="dbus-property" generated="True" extra-ref="FixedRandomDelay"/>
++
+     <variablelist class="dbus-property" generated="True" extra-ref="Persistent"/>
+ 
+     <variablelist class="dbus-property" generated="True" extra-ref="WakeSystem"/>
+diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml
+index 5822402712..6f731e2311 100644
+--- a/man/systemd.timer.xml
++++ b/man/systemd.timer.xml
+@@ -268,6 +268,18 @@
+         <varname>AccuracySec=1us</varname>.</para></listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term><varname>FixedRandomDelay=</varname></term>
++
++        <listitem><para>Takes a boolean argument. If true, some amount of time between 0 and
++        <varname>RandomizedDelaySec=</varname> is chosen and added as the delay for each timer iteration. As this
++        delay will not be recalculated on each run, this effectively creates a fixed offset for each iteration.
++        The distribution between 0 and <varname>RandomizedDelaySec=</varname> is deterministic and based on
++        a combination of the machine ID, whether the timer is run by the user/system manager, the service manager's
++        user ID, and the timer's unit name. Has no effect if
++        <varname>RandomizedDelaySec=</varname> is set to 0. Defaults to <option>false</option>.</para></listitem>
++      </varlistentry>
++
+       <varlistentry>
+         <term><varname>OnClockChange=</varname></term>
+         <term><varname>OnTimezoneChange=</varname></term>
+diff --git a/src/core/dbus-timer.c b/src/core/dbus-timer.c
+index da35fa8678..ee54ba8772 100644
+--- a/src/core/dbus-timer.c
++++ b/src/core/dbus-timer.c
+@@ -131,6 +131,7 @@ const sd_bus_vtable bus_timer_vtable[] = {
+         SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Timer, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+         SD_BUS_PROPERTY("AccuracyUSec", "t", bus_property_get_usec, offsetof(Timer, accuracy_usec), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("RandomizedDelayUSec", "t", bus_property_get_usec, offsetof(Timer, random_usec), SD_BUS_VTABLE_PROPERTY_CONST),
++        SD_BUS_PROPERTY("FixedRandomDelay", "b", bus_property_get_bool, offsetof(Timer, fixed_random_delay), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("Persistent", "b", bus_property_get_bool, offsetof(Timer, persistent), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("WakeSystem", "b", bus_property_get_bool, offsetof(Timer, wake_system), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("RemainAfterElapse", "b", bus_property_get_bool, offsetof(Timer, remain_after_elapse), SD_BUS_VTABLE_PROPERTY_CONST),
+@@ -232,6 +233,9 @@ static int bus_timer_set_transient_property(
+         if (streq(name, "RandomizedDelayUSec"))
+                 return bus_set_transient_usec(u, name, &t->random_usec, message, flags, error);
+ 
++        if (streq(name, "FixedRandomDelay"))
++                return bus_set_transient_bool(u, name, &t->fixed_random_delay, message, flags, error);
++
+         if (streq(name, "WakeSystem"))
+                 return bus_set_transient_bool(u, name, &t->wake_system, message, flags, error);
+ 
+diff --git a/src/core/timer.c b/src/core/timer.c
+index 03a9c14f76..b2c5e26f63 100644
+--- a/src/core/timer.c
++++ b/src/core/timer.c
+@@ -169,6 +169,36 @@ static int timer_setup_persistent(Timer *t) {
+         return 0;
+ }
+ 
++static uint64_t timer_get_fixed_delay_hash(Timer *t) {
++        static const uint8_t hash_key[] = {
++                0x51, 0x0a, 0xdb, 0x76, 0x29, 0x51, 0x42, 0xc2,
++                0x80, 0x35, 0xea, 0xe6, 0x8e, 0x3a, 0x37, 0xbd
++        };
++
++        struct siphash state;
++        sd_id128_t machine_id;
++        uid_t uid;
++        int r;
++
++        assert(t);
++
++        uid = getuid();
++        r = sd_id128_get_machine(&machine_id);
++        if (r < 0) {
++                log_unit_debug_errno(UNIT(t), r,
++                                     "Failed to get machine ID for the fixed delay calculation, proceeding with 0: %m");
++                machine_id = SD_ID128_NULL;
++        }
++
++        siphash24_init(&state, hash_key);
++        siphash24_compress(&machine_id, sizeof(sd_id128_t), &state);
++        siphash24_compress_boolean(MANAGER_IS_SYSTEM(UNIT(t)->manager), &state);
++        siphash24_compress(&uid, sizeof(uid_t), &state);
++        siphash24_compress_string(UNIT(t)->id, &state);
++
++        return siphash24_finalize(&state);
++}
++
+ static int timer_load(Unit *u) {
+         Timer *t = TIMER(u);
+         int r;
+@@ -215,6 +245,7 @@ static void timer_dump(Unit *u, FILE *f, const char *prefix) {
+                 "%sWakeSystem: %s\n"
+                 "%sAccuracy: %s\n"
+                 "%sRemainAfterElapse: %s\n"
++                "%sFixedRandomDelay: %s\n"
+                 "%sOnClockChange: %s\n"
+                 "%sOnTimeZoneChange: %s\n",
+                 prefix, timer_state_to_string(t->state),
+@@ -224,6 +255,7 @@ static void timer_dump(Unit *u, FILE *f, const char *prefix) {
+                 prefix, yes_no(t->wake_system),
+                 prefix, format_timespan(buf, sizeof(buf), t->accuracy_usec, 1),
+                 prefix, yes_no(t->remain_after_elapse),
++                prefix, yes_no(t->fixed_random_delay),
+                 prefix, yes_no(t->on_clock_change),
+                 prefix, yes_no(t->on_timezone_change));
+ 
+@@ -332,7 +364,7 @@ static void add_random(Timer *t, usec_t *v) {
+         if (*v == USEC_INFINITY)
+                 return;
+ 
+-        add = random_u64() % t->random_usec;
++        add = (t->fixed_random_delay ? timer_get_fixed_delay_hash(t) : random_u64()) % t->random_usec;
+ 
+         if (*v + add < *v) /* overflow */
+                 *v = (usec_t) -2; /* Highest possible value, that is not USEC_INFINITY */
+diff --git a/src/core/timer.h b/src/core/timer.h
+index ab66a201ad..ce4046a210 100644
+--- a/src/core/timer.h
++++ b/src/core/timer.h
+@@ -59,6 +59,7 @@ struct Timer {
+         bool remain_after_elapse;
+         bool on_clock_change;
+         bool on_timezone_change;
++        bool fixed_random_delay;
+ 
+         char *stamp_path;
+ };
+diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
+index f2652ed9a5..68de4a2ed1 100644
+--- a/src/shared/bus-unit-util.c
++++ b/src/shared/bus-unit-util.c
+@@ -1779,7 +1779,8 @@ static int bus_append_timer_property(sd_bus_message *m, const char *field, const
+                               "RemainAfterElapse",
+                               "Persistent",
+                               "OnTimezoneChange",
+-                              "OnClockChange"))
++                              "OnClockChange",
++                              "FixedRandomDelay"))
+                 return bus_append_parse_boolean(m, field, eq);
+ 
+         if (STR_IN_SET(field, "AccuracySec",
+diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service
+index dbff9ab2cc..95304ea0c6 100644
+--- a/test/fuzz/fuzz-unit-file/directives.service
++++ b/test/fuzz/fuzz-unit-file/directives.service
+@@ -175,6 +175,7 @@ PipeSize=
+ Priority=
+ PropagatesReloadTo=
+ RandomizedDelaySec=
++FixedRandomDelay=
+ RebootArgument=
+ ReceiveBuffer=
+ RefuseManualStart=
+diff --git a/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer b/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer
+index 7db361cd69..64b8808adc 100644
+--- a/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer
++++ b/test/fuzz/fuzz-unit-file/systemd-tmpfiles-clean.timer
+@@ -32,6 +32,7 @@ OnCalendar=Fri 2012-11-23 11:12:13
+ Persistent=true
+ AccuracySec=24h
+ RandomizedDelaySec=234234234
++FixedRandomDelay=true
+ 
+ Persistent=no
+ Unit=foo.service
+-- 
+2.24.1
+
diff --git a/SOURCES/16803_fix_asserts_conditions.patch b/SOURCES/16803_fix_asserts_conditions.patch
new file mode 100644
index 0000000..817ec45
--- /dev/null
+++ b/SOURCES/16803_fix_asserts_conditions.patch
@@ -0,0 +1,553 @@
+From 625a164069aff9efb61dcc5916c572f53c2a7ab0 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 20 Aug 2020 13:43:00 +0200
+Subject: [PATCH 1/3] analyze: rework condition testing
+
+Let's drop the private table and just use the generic concepts we have
+in place already that make the same information available.
+
+Fixes: #16781
+---
+ src/analyze/analyze-condition.c | 105 +++++++++-----------------------
+ 1 file changed, 28 insertions(+), 77 deletions(-)
+
+diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c
+index 52ad382637f..13f75e813a2 100644
+--- a/src/analyze/analyze-condition.c
++++ b/src/analyze/analyze-condition.c
+@@ -8,83 +8,27 @@
+ #include "load-fragment.h"
+ #include "service.h"
+ 
+-typedef struct condition_definition {
+-        const char *name;
+-        ConfigParserCallback parser;
+-        ConditionType type;
+-} condition_definition;
+-
+-static const condition_definition condition_definitions[] = {
+-        { "ConditionPathExists",             config_parse_unit_condition_path,   CONDITION_PATH_EXISTS              },
+-        { "ConditionPathExistsGlob",         config_parse_unit_condition_path,   CONDITION_PATH_EXISTS_GLOB         },
+-        { "ConditionPathIsDirectory",        config_parse_unit_condition_path,   CONDITION_PATH_IS_DIRECTORY        },
+-        { "ConditionPathIsSymbolicLink",     config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK    },
+-        { "ConditionPathIsMountPoint",       config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT      },
+-        { "ConditionPathIsReadWrite",        config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE       },
+-        { "ConditionPathIsEncrypted",        config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED        },
+-        { "ConditionDirectoryNotEmpty",      config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY      },
+-        { "ConditionFileNotEmpty",           config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY           },
+-        { "ConditionFileIsExecutable",       config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE       },
+-        { "ConditionNeedsUpdate",            config_parse_unit_condition_path,   CONDITION_NEEDS_UPDATE             },
+-        { "ConditionFirstBoot",              config_parse_unit_condition_string, CONDITION_FIRST_BOOT               },
+-        { "ConditionKernelCommandLine",      config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE      },
+-        { "ConditionKernelVersion",          config_parse_unit_condition_string, CONDITION_KERNEL_VERSION           },
+-        { "ConditionArchitecture",           config_parse_unit_condition_string, CONDITION_ARCHITECTURE             },
+-        { "ConditionVirtualization",         config_parse_unit_condition_string, CONDITION_VIRTUALIZATION           },
+-        { "ConditionSecurity",               config_parse_unit_condition_string, CONDITION_SECURITY                 },
+-        { "ConditionCapability",             config_parse_unit_condition_string, CONDITION_CAPABILITY               },
+-        { "ConditionHost",                   config_parse_unit_condition_string, CONDITION_HOST                     },
+-        { "ConditionACPower",                config_parse_unit_condition_string, CONDITION_AC_POWER                 },
+-        { "ConditionUser",                   config_parse_unit_condition_string, CONDITION_USER                     },
+-        { "ConditionGroup",                  config_parse_unit_condition_string, CONDITION_GROUP                    },
+-        { "ConditionControlGroupController", config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER },
+-
+-        { "AssertPathExists",                config_parse_unit_condition_path,   CONDITION_PATH_EXISTS              },
+-        { "AssertPathExistsGlob",            config_parse_unit_condition_path,   CONDITION_PATH_EXISTS_GLOB         },
+-        { "AssertPathIsDirectory",           config_parse_unit_condition_path,   CONDITION_PATH_IS_DIRECTORY        },
+-        { "AssertPathIsSymbolicLink",        config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK    },
+-        { "AssertPathIsMountPoint",          config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT      },
+-        { "AssertPathIsReadWrite",           config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE       },
+-        { "AssertPathIsEncrypted",           config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED        },
+-        { "AssertDirectoryNotEmpty",         config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY      },
+-        { "AssertFileNotEmpty",              config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY           },
+-        { "AssertFileIsExecutable",          config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE       },
+-        { "AssertNeedsUpdate",               config_parse_unit_condition_path,   CONDITION_NEEDS_UPDATE             },
+-        { "AssertFirstBoot",                 config_parse_unit_condition_string, CONDITION_FIRST_BOOT               },
+-        { "AssertKernelCommandLine",         config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE      },
+-        { "AssertKernelVersion",             config_parse_unit_condition_string, CONDITION_KERNEL_VERSION           },
+-        { "AssertArchitecture",              config_parse_unit_condition_string, CONDITION_ARCHITECTURE             },
+-        { "AssertVirtualization",            config_parse_unit_condition_string, CONDITION_VIRTUALIZATION           },
+-        { "AssertSecurity",                  config_parse_unit_condition_string, CONDITION_SECURITY                 },
+-        { "AssertCapability",                config_parse_unit_condition_string, CONDITION_CAPABILITY               },
+-        { "AssertHost",                      config_parse_unit_condition_string, CONDITION_HOST                     },
+-        { "AssertACPower",                   config_parse_unit_condition_string, CONDITION_AC_POWER                 },
+-        { "AssertUser",                      config_parse_unit_condition_string, CONDITION_USER                     },
+-        { "AssertGroup",                     config_parse_unit_condition_string, CONDITION_GROUP                    },
+-        { "AssertControlGroupController",    config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER },
+-
+-        /* deprecated, but we should still parse them */
+-        { "ConditionNull",                   config_parse_unit_condition_null,   0                                  },
+-        { "AssertNull",                      config_parse_unit_condition_null,   0                                  },
+-};
+-
+ static int parse_condition(Unit *u, const char *line) {
+-        const char *p;
+-        Condition **target;
+-
+-        if ((p = startswith(line, "Condition")))
+-                target = &u->conditions;
+-        else if ((p = startswith(line, "Assert")))
+-                target = &u->asserts;
+-        else
+-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot parse \"%s\".", line);
+-
+-        for (size_t i = 0; i < ELEMENTSOF(condition_definitions); i++) {
+-                const condition_definition *c = &condition_definitions[i];
+-
+-                p = startswith(line, c->name);
+-                if (!p)
+-                        continue;
++        assert(u);
++        assert(line);
++
++        for (ConditionType t = 0; t < _CONDITION_TYPE_MAX; t++) {
++                ConfigParserCallback callback;
++                Condition **target;
++                const char *p, *name;
++
++                name = condition_type_to_string(t);
++                p = startswith(line, name);
++                if (p)
++                        target = &u->conditions;
++                else {
++                        name = assert_type_to_string(t);
++                        p = startswith(line, name);
++                        if (!p)
++                                continue;
++
++                        target = &u->asserts;
++                }
+ 
+                 p += strspn(p, WHITESPACE);
+ 
+@@ -94,7 +38,14 @@ static int parse_condition(Unit *u, const char *line) {
+ 
+                 p += strspn(p, WHITESPACE);
+ 
+-                return c->parser(NULL, "(stdin)", 0, NULL, 0, c->name, c->type, p, target, u);
++                if (t == CONDITION_NULL) /* deprecated, but we should still parse this for now */
++                        callback = config_parse_unit_condition_null;
++                else if (condition_takes_path(t))
++                        callback = config_parse_unit_condition_path;
++                else
++                        callback = config_parse_unit_condition_string;
++
++                return callback(NULL, "(cmdline)", 0, NULL, 0, name, t, p, target, u);
+         }
+ 
+         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot parse \"%s\".", line);
+
+From 4f55a5b0bf1e68e4595120d8ac4b518654355fc3 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 20 Aug 2020 13:44:12 +0200
+Subject: [PATCH 2/3] core: add missing conditions/asserts to unit file parsing
+
+---
+ src/core/load-fragment-gperf.gperf.m4 | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
+index b9e7769e4e3..1e6bd6483c2 100644
+--- a/src/core/load-fragment-gperf.gperf.m4
++++ b/src/core/load-fragment-gperf.gperf.m4
+@@ -272,22 +272,26 @@ Unit.ConditionPathIsDirectory,   config_parse_unit_condition_path,   CONDITION_P
+ Unit.ConditionPathIsSymbolicLink,config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK,offsetof(Unit, conditions)
+ Unit.ConditionPathIsMountPoint,  config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT, offsetof(Unit, conditions)
+ Unit.ConditionPathIsReadWrite,   config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE,  offsetof(Unit, conditions)
++Unit.ConditionPathIsEncrypted,   config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED,   offsetof(Unit, conditions)
+ Unit.ConditionDirectoryNotEmpty, config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY, offsetof(Unit, conditions)
+ Unit.ConditionFileNotEmpty,      config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY,      offsetof(Unit, conditions)
+ Unit.ConditionFileIsExecutable,  config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE,  offsetof(Unit, conditions)
+ Unit.ConditionNeedsUpdate,       config_parse_unit_condition_path,   CONDITION_NEEDS_UPDATE,        offsetof(Unit, conditions)
+ Unit.ConditionFirstBoot,         config_parse_unit_condition_string, CONDITION_FIRST_BOOT,          offsetof(Unit, conditions)
+-Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, conditions)
+-Unit.ConditionKernelVersion,     config_parse_unit_condition_string, CONDITION_KERNEL_VERSION,      offsetof(Unit, conditions)
+ Unit.ConditionArchitecture,      config_parse_unit_condition_string, CONDITION_ARCHITECTURE,        offsetof(Unit, conditions)
+ Unit.ConditionVirtualization,    config_parse_unit_condition_string, CONDITION_VIRTUALIZATION,      offsetof(Unit, conditions)
++Unit.ConditionHost,              config_parse_unit_condition_string, CONDITION_HOST,                offsetof(Unit, conditions)
++Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, conditions)
++Unit.ConditionKernelVersion,     config_parse_unit_condition_string, CONDITION_KERNEL_VERSION,      offsetof(Unit, conditions)
+ Unit.ConditionSecurity,          config_parse_unit_condition_string, CONDITION_SECURITY,            offsetof(Unit, conditions)
+ Unit.ConditionCapability,        config_parse_unit_condition_string, CONDITION_CAPABILITY,          offsetof(Unit, conditions)
+-Unit.ConditionHost,              config_parse_unit_condition_string, CONDITION_HOST,                offsetof(Unit, conditions)
+ Unit.ConditionACPower,           config_parse_unit_condition_string, CONDITION_AC_POWER,            offsetof(Unit, conditions)
++Unit.ConditionMemory,            config_parse_unit_condition_string, CONDITION_MEMORY,              offsetof(Unit, conditions)
++Unit.ConditionCPUs,              config_parse_unit_condition_string, CONDITION_CPUS,                offsetof(Unit, conditions)
++Unit.ConditionEnvironment,       config_parse_unit_condition_string, CONDITION_ENVIRONMENT,         offsetof(Unit, conditions)
+ Unit.ConditionUser,              config_parse_unit_condition_string, CONDITION_USER,                offsetof(Unit, conditions)
+ Unit.ConditionGroup,             config_parse_unit_condition_string, CONDITION_GROUP,               offsetof(Unit, conditions)
+-Unit.ConditionControlGroupController,  config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER,   offsetof(Unit, conditions)
++Unit.ConditionControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, conditions)
+ Unit.ConditionNull,              config_parse_unit_condition_null,   0,                             offsetof(Unit, conditions)
+ Unit.AssertPathExists,           config_parse_unit_condition_path,   CONDITION_PATH_EXISTS,         offsetof(Unit, asserts)
+ Unit.AssertPathExistsGlob,       config_parse_unit_condition_path,   CONDITION_PATH_EXISTS_GLOB,    offsetof(Unit, asserts)
+@@ -295,22 +299,26 @@ Unit.AssertPathIsDirectory,      config_parse_unit_condition_path,   CONDITION_P
+ Unit.AssertPathIsSymbolicLink,   config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK,offsetof(Unit, asserts)
+ Unit.AssertPathIsMountPoint,     config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT, offsetof(Unit, asserts)
+ Unit.AssertPathIsReadWrite,      config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE,  offsetof(Unit, asserts)
++Unit.AssertPathIsEncrypted,      config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED,   offsetof(Unit, asserts)
+ Unit.AssertDirectoryNotEmpty,    config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY, offsetof(Unit, asserts)
+ Unit.AssertFileNotEmpty,         config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY,      offsetof(Unit, asserts)
+ Unit.AssertFileIsExecutable,     config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE,  offsetof(Unit, asserts)
+ Unit.AssertNeedsUpdate,          config_parse_unit_condition_path,   CONDITION_NEEDS_UPDATE,        offsetof(Unit, asserts)
+ Unit.AssertFirstBoot,            config_parse_unit_condition_string, CONDITION_FIRST_BOOT,          offsetof(Unit, asserts)
+-Unit.AssertKernelCommandLine,    config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, asserts)
+-Unit.AssertKernelVersion,        config_parse_unit_condition_string, CONDITION_KERNEL_VERSION,      offsetof(Unit, asserts)
+ Unit.AssertArchitecture,         config_parse_unit_condition_string, CONDITION_ARCHITECTURE,        offsetof(Unit, asserts)
+ Unit.AssertVirtualization,       config_parse_unit_condition_string, CONDITION_VIRTUALIZATION,      offsetof(Unit, asserts)
++Unit.AssertHost,                 config_parse_unit_condition_string, CONDITION_HOST,                offsetof(Unit, asserts)
++Unit.AssertKernelCommandLine,    config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, asserts)
++Unit.AssertKernelVersion,        config_parse_unit_condition_string, CONDITION_KERNEL_VERSION,      offsetof(Unit, asserts)
+ Unit.AssertSecurity,             config_parse_unit_condition_string, CONDITION_SECURITY,            offsetof(Unit, asserts)
+ Unit.AssertCapability,           config_parse_unit_condition_string, CONDITION_CAPABILITY,          offsetof(Unit, asserts)
+-Unit.AssertHost,                 config_parse_unit_condition_string, CONDITION_HOST,                offsetof(Unit, asserts)
+ Unit.AssertACPower,              config_parse_unit_condition_string, CONDITION_AC_POWER,            offsetof(Unit, asserts)
++Unit.AssertMemory,               config_parse_unit_condition_string, CONDITION_MEMORY,              offsetof(Unit, asserts)
++Unit.AssertCPUs,                 config_parse_unit_condition_string, CONDITION_CPUS,                offsetof(Unit, asserts)
++Unit.AssertEnvironment,          config_parse_unit_condition_string, CONDITION_ENVIRONMENT,         offsetof(Unit, asserts)
+ Unit.AssertUser,                 config_parse_unit_condition_string, CONDITION_USER,                offsetof(Unit, asserts)
+ Unit.AssertGroup,                config_parse_unit_condition_string, CONDITION_GROUP,               offsetof(Unit, asserts)
+-Unit.AssertControlGroupController,     config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER,   offsetof(Unit, asserts)
++Unit.AssertControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, asserts)
+ Unit.AssertNull,                 config_parse_unit_condition_null,   0,                             offsetof(Unit, asserts)
+ Unit.CollectMode,                config_parse_collect_mode,          0,                             offsetof(Unit, collect_mode)
+ m4_dnl
+
+From 476cfe626dac41bb9879116c701333caa2ccec24 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 20 Aug 2020 14:01:25 +0200
+Subject: [PATCH 3/3] core: remove support for ConditionNull=
+
+The concept is flawed, and mostly useless. Let's finally remove it.
+
+It has been deprecated since 90a2ec10f2d43a8530aae856013518eb567c4039 (6
+years ago) and we started to warn since
+55dadc5c57ef1379dbc984938d124508a454be55 (1.5 years ago).
+
+Let's get rid of it altogether.
+---
+ man/systemd.unit.xml                          |  3 -
+ src/analyze/analyze-condition.c               |  4 +-
+ src/core/dbus-unit.c                          | 22 +++-----
+ src/core/load-fragment-gperf.gperf.m4         |  2 -
+ src/core/load-fragment.c                      | 55 -------------------
+ src/core/load-fragment.h                      |  1 -
+ src/shared/condition.c                        | 21 +------
+ src/shared/condition.h                        |  2 -
+ src/test/test-condition.c                     | 15 -----
+ .../fuzz-unit-file/systemd-machined.service   |  3 -
+ 10 files changed, 11 insertions(+), 117 deletions(-)
+
+diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
+index 7ef6080237e..50f35aaa3cc 100644
+--- a/man/systemd.unit.xml
++++ b/man/systemd.unit.xml
+@@ -1092,9 +1092,6 @@
+       <para>Except for <varname>ConditionPathIsSymbolicLink=</varname>, all path checks follow symlinks.</para>
+ 
+       <variablelist class='unit-directives'>
+-        <!-- We do not document ConditionNull= here, as it is not particularly useful and probably just
+-             confusing. -->
+-
+         <varlistentry>
+           <term><varname>ConditionArchitecture=</varname></term>
+ 
+diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c
+index 13f75e813a2..e1365e18056 100644
+--- a/src/analyze/analyze-condition.c
++++ b/src/analyze/analyze-condition.c
+@@ -38,9 +38,7 @@ static int parse_condition(Unit *u, const char *line) {
+ 
+                 p += strspn(p, WHITESPACE);
+ 
+-                if (t == CONDITION_NULL) /* deprecated, but we should still parse this for now */
+-                        callback = config_parse_unit_condition_null;
+-                else if (condition_takes_path(t))
++                if (condition_takes_path(t))
+                         callback = config_parse_unit_condition_path;
+                 else
+                         callback = config_parse_unit_condition_string;
+diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
+index 9e9d3b101e5..e799771c220 100644
+--- a/src/core/dbus-unit.c
++++ b/src/core/dbus-unit.c
+@@ -1974,14 +1974,11 @@ static int bus_set_transient_conditions(
+                 if (t < 0)
+                         return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid condition type: %s", type_name);
+ 
+-                if (t != CONDITION_NULL) {
+-                        if (isempty(param))
+-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Condition parameter in %s is empty", type_name);
++                if (isempty(param))
++                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Condition parameter in %s is empty", type_name);
+ 
+-                        if (condition_takes_path(t) && !path_is_absolute(param))
+-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path in condition %s is not absolute: %s", type_name, param);
+-                } else
+-                        param = NULL;
++                if (condition_takes_path(t) && !path_is_absolute(param))
++                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path in condition %s is not absolute: %s", type_name, param);
+ 
+                 if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+                         Condition *c;
+@@ -1992,14 +1989,9 @@ static int bus_set_transient_conditions(
+ 
+                         LIST_PREPEND(conditions, *list, c);
+ 
+-                        if (t != CONDITION_NULL)
+-                                unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name,
+-                                                    "%s=%s%s%s", type_name,
+-                                                    trigger ? "|" : "", negate ? "!" : "", param);
+-                        else
+-                                unit_write_settingf(u, flags, name,
+-                                                    "%s=%s%s", type_name,
+-                                                    trigger ? "|" : "", yes_no(!negate));
++                        unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name,
++                                            "%s=%s%s%s", type_name,
++                                            trigger ? "|" : "", negate ? "!" : "", param);
+                 }
+ 
+                 empty = false;
+diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
+index 1e6bd6483c2..a191de62af3 100644
+--- a/src/core/load-fragment-gperf.gperf.m4
++++ b/src/core/load-fragment-gperf.gperf.m4
+@@ -292,7 +292,6 @@ Unit.ConditionEnvironment,       config_parse_unit_condition_string, CONDITION_E
+ Unit.ConditionUser,              config_parse_unit_condition_string, CONDITION_USER,                offsetof(Unit, conditions)
+ Unit.ConditionGroup,             config_parse_unit_condition_string, CONDITION_GROUP,               offsetof(Unit, conditions)
+ Unit.ConditionControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, conditions)
+-Unit.ConditionNull,              config_parse_unit_condition_null,   0,                             offsetof(Unit, conditions)
+ Unit.AssertPathExists,           config_parse_unit_condition_path,   CONDITION_PATH_EXISTS,         offsetof(Unit, asserts)
+ Unit.AssertPathExistsGlob,       config_parse_unit_condition_path,   CONDITION_PATH_EXISTS_GLOB,    offsetof(Unit, asserts)
+ Unit.AssertPathIsDirectory,      config_parse_unit_condition_path,   CONDITION_PATH_IS_DIRECTORY,   offsetof(Unit, asserts)
+@@ -319,7 +318,6 @@ Unit.AssertEnvironment,          config_parse_unit_condition_string, CONDITION_E
+ Unit.AssertUser,                 config_parse_unit_condition_string, CONDITION_USER,                offsetof(Unit, asserts)
+ Unit.AssertGroup,                config_parse_unit_condition_string, CONDITION_GROUP,               offsetof(Unit, asserts)
+ Unit.AssertControlGroupController, config_parse_unit_condition_string, CONDITION_CONTROL_GROUP_CONTROLLER, offsetof(Unit, asserts)
+-Unit.AssertNull,                 config_parse_unit_condition_null,   0,                             offsetof(Unit, asserts)
+ Unit.CollectMode,                config_parse_collect_mode,          0,                             offsetof(Unit, collect_mode)
+ m4_dnl
+ Service.PIDFile,                 config_parse_pid_file,              0,                             offsetof(Service, pid_file)
+diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
+index 266382c84c7..cfd04f3b49f 100644
+--- a/src/core/load-fragment.c
++++ b/src/core/load-fragment.c
+@@ -2999,60 +2999,6 @@ int config_parse_unit_condition_string(
+         return 0;
+ }
+ 
+-int config_parse_unit_condition_null(
+-                const char *unit,
+-                const char *filename,
+-                unsigned line,
+-                const char *section,
+-                unsigned section_line,
+-                const char *lvalue,
+-                int ltype,
+-                const char *rvalue,
+-                void *data,
+-                void *userdata) {
+-
+-        Condition **list = data, *c;
+-        bool trigger, negate;
+-        int b;
+-
+-        assert(filename);
+-        assert(lvalue);
+-        assert(rvalue);
+-        assert(data);
+-
+-        log_syntax(unit, LOG_WARNING, filename, line, 0, "%s= is deprecated, please do not use.", lvalue);
+-
+-        if (isempty(rvalue)) {
+-                /* Empty assignment resets the list */
+-                *list = condition_free_list(*list);
+-                return 0;
+-        }
+-
+-        trigger = rvalue[0] == '|';
+-        if (trigger)
+-                rvalue++;
+-
+-        negate = rvalue[0] == '!';
+-        if (negate)
+-                rvalue++;
+-
+-        b = parse_boolean(rvalue);
+-        if (b < 0) {
+-                log_syntax(unit, LOG_ERR, filename, line, b, "Failed to parse boolean value in condition, ignoring: %s", rvalue);
+-                return 0;
+-        }
+-
+-        if (!b)
+-                negate = !negate;
+-
+-        c = condition_new(CONDITION_NULL, NULL, trigger, negate);
+-        if (!c)
+-                return log_oom();
+-
+-        LIST_PREPEND(conditions, *list, c);
+-        return 0;
+-}
+-
+ int config_parse_unit_requires_mounts_for(
+                 const char *unit,
+                 const char *filename,
+@@ -5266,7 +5212,6 @@ void unit_dump_config_items(FILE *f) {
+                 { config_parse_ip_tos,                "TOS" },
+                 { config_parse_unit_condition_path,   "CONDITION" },
+                 { config_parse_unit_condition_string, "CONDITION" },
+-                { config_parse_unit_condition_null,   "CONDITION" },
+                 { config_parse_unit_slice,            "SLICE" },
+                 { config_parse_documentation,         "URL" },
+                 { config_parse_service_timeout,       "SECONDS" },
+diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
+index 2672db5ace2..cee5717d0fb 100644
+--- a/src/core/load-fragment.h
++++ b/src/core/load-fragment.h
+@@ -58,7 +58,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_unit_env_file);
+ CONFIG_PARSER_PROTOTYPE(config_parse_ip_tos);
+ CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_path);
+ CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_string);
+-CONFIG_PARSER_PROTOTYPE(config_parse_unit_condition_null);
+ CONFIG_PARSER_PROTOTYPE(config_parse_kill_mode);
+ CONFIG_PARSER_PROTOTYPE(config_parse_notify_access);
+ CONFIG_PARSER_PROTOTYPE(config_parse_emergency_action);
+diff --git a/src/shared/condition.c b/src/shared/condition.c
+index bf3b5fa1622..1f6105622a5 100644
+--- a/src/shared/condition.c
++++ b/src/shared/condition.c
+@@ -52,7 +52,7 @@ Condition* condition_new(ConditionType type, const char *parameter, bool trigger
+ 
+         assert(type >= 0);
+         assert(type < _CONDITION_TYPE_MAX);
+-        assert((!parameter) == (type == CONDITION_NULL));
++        assert(parameter);
+ 
+         c = new(Condition, 1);
+         if (!c)
+@@ -776,15 +776,6 @@ static int condition_test_file_is_executable(Condition *c, char **env) {
+                 (st.st_mode & 0111));
+ }
+ 
+-static int condition_test_null(Condition *c, char **env) {
+-        assert(c);
+-        assert(c->type == CONDITION_NULL);
+-
+-        /* Note that during parsing we already evaluate the string and
+-         * store it in c->negate */
+-        return true;
+-}
+-
+ int condition_test(Condition *c, char **env) {
+ 
+         static int (*const condition_tests[_CONDITION_TYPE_MAX])(Condition *c, char **env) = {
+@@ -811,7 +802,6 @@ int condition_test(Condition *c, char **env) {
+                 [CONDITION_USER]                     = condition_test_user,
+                 [CONDITION_GROUP]                    = condition_test_group,
+                 [CONDITION_CONTROL_GROUP_CONTROLLER] = condition_test_control_group_controller,
+-                [CONDITION_NULL]                     = condition_test_null,
+                 [CONDITION_CPUS]                     = condition_test_cpus,
+                 [CONDITION_MEMORY]                   = condition_test_memory,
+                 [CONDITION_ENVIRONMENT]              = condition_test_environment,
+@@ -859,23 +849,20 @@ bool condition_test_list(
+                 r = condition_test(c, env);
+ 
+                 if (logger) {
+-                        const char *p = c->type == CONDITION_NULL ? "true" : c->parameter;
+-                        assert(p);
+-
+                         if (r < 0)
+                                 logger(userdata, LOG_WARNING, r, PROJECT_FILE, __LINE__, __func__,
+                                        "Couldn't determine result for %s=%s%s%s, assuming failed: %m",
+                                        to_string(c->type),
+                                        c->trigger ? "|" : "",
+                                        c->negate ? "!" : "",
+-                                       p);
++                                       c->parameter);
+                         else
+                                 logger(userdata, LOG_DEBUG, 0, PROJECT_FILE, __LINE__, __func__,
+                                        "%s=%s%s%s %s.",
+                                        to_string(c->type),
+                                        c->trigger ? "|" : "",
+                                        c->negate ? "!" : "",
+-                                       p,
++                                       c->parameter,
+                                        condition_result_to_string(c->result));
+                 }
+ 
+@@ -937,7 +924,6 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
+         [CONDITION_USER] = "ConditionUser",
+         [CONDITION_GROUP] = "ConditionGroup",
+         [CONDITION_CONTROL_GROUP_CONTROLLER] = "ConditionControlGroupController",
+-        [CONDITION_NULL] = "ConditionNull",
+         [CONDITION_CPUS] = "ConditionCPUs",
+         [CONDITION_MEMORY] = "ConditionMemory",
+         [CONDITION_ENVIRONMENT] = "ConditionEnvironment",
+@@ -969,7 +955,6 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = {
+         [CONDITION_USER] = "AssertUser",
+         [CONDITION_GROUP] = "AssertGroup",
+         [CONDITION_CONTROL_GROUP_CONTROLLER] = "AssertControlGroupController",
+-        [CONDITION_NULL] = "AssertNull",
+         [CONDITION_CPUS] = "AssertCPUs",
+         [CONDITION_MEMORY] = "AssertMemory",
+         [CONDITION_ENVIRONMENT] = "AssertEnvironment",
+diff --git a/src/shared/condition.h b/src/shared/condition.h
+index fea74d228d8..e5ad43f945b 100644
+--- a/src/shared/condition.h
++++ b/src/shared/condition.h
+@@ -34,8 +34,6 @@ typedef enum ConditionType {
+         CONDITION_FILE_NOT_EMPTY,
+         CONDITION_FILE_IS_EXECUTABLE,
+ 
+-        CONDITION_NULL,
+-
+         CONDITION_USER,
+         CONDITION_GROUP,
+ 
+diff --git a/src/test/test-condition.c b/src/test/test-condition.c
+index ddf2e669c03..d209c1304c8 100644
+--- a/src/test/test-condition.c
++++ b/src/test/test-condition.c
+@@ -438,20 +438,6 @@ static void test_condition_test_kernel_version(void) {
+         condition_free(condition);
+ }
+ 
+-static void test_condition_test_null(void) {
+-        Condition *condition;
+-
+-        condition = condition_new(CONDITION_NULL, NULL, false, false);
+-        assert_se(condition);
+-        assert_se(condition_test(condition, environ) > 0);
+-        condition_free(condition);
+-
+-        condition = condition_new(CONDITION_NULL, NULL, false, true);
+-        assert_se(condition);
+-        assert_se(condition_test(condition, environ) == 0);
+-        condition_free(condition);
+-}
+-
+ static void test_condition_test_security(void) {
+         Condition *condition;
+ 
+@@ -868,7 +854,6 @@ int main(int argc, char *argv[]) {
+         test_condition_test_architecture();
+         test_condition_test_kernel_command_line();
+         test_condition_test_kernel_version();
+-        test_condition_test_null();
+         test_condition_test_security();
+         print_securities();
+         test_condition_test_virtualization();
+diff --git a/test/fuzz/fuzz-unit-file/systemd-machined.service b/test/fuzz/fuzz-unit-file/systemd-machined.service
+index 70b627c5f40..79ee9861d8e 100644
+--- a/test/fuzz/fuzz-unit-file/systemd-machined.service
++++ b/test/fuzz/fuzz-unit-file/systemd-machined.service
+@@ -15,9 +15,6 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/machined
+ Wants=machine.slice
+ After=machine.slice
+ RequiresMountsFor=/var/lib/machines
+-ConditionNull=true
+-ConditionNull=
+-ConditionNull=|!false
+ OnFailureIsolate=false
+ FailureActionExitStatus=222
+ FailureActionExitStatus=
diff --git a/SOURCES/16838_16857_improve_path_search.patch b/SOURCES/16838_16857_improve_path_search.patch
new file mode 100644
index 0000000..2120465
--- /dev/null
+++ b/SOURCES/16838_16857_improve_path_search.patch
@@ -0,0 +1,108 @@
+From 3335de91437bc983c95cfab86489ceb3a0b0a6aa Mon Sep 17 00:00:00 2001
+From: Chris Down <chris@chrisdown.name>
+Date: Tue, 25 Aug 2020 21:59:11 +0100
+Subject: [PATCH 1/2] path: Skip directories when finalising $PATH search
+
+Imagine $PATH /a:/b. There is an echo command at /b/echo. Under this
+configuration, this works fine:
+
+    % systemd-run --user --scope echo .
+    Running scope as unit: run-rfe98e0574b424d63a641644af511ff30.scope
+    .
+
+However, if I do `mkdir /a/echo`, this happens:
+
+    % systemd-run --user --scope echo .
+    Running scope as unit: run-rcbe9369537ed47f282ee12ce9f692046.scope
+    Failed to execute: Permission denied
+
+We check whether the resulting file is executable for the performing
+user, but of course, most directories are anyway, since that's needed to
+list within it. As such, another is_dir() check is needed prior to
+considering the search result final.
+
+Another approach might be to check S_ISREG, but there may be more gnarly
+edge cases there than just eliminating this obviously pathological
+example, so let's just do this for now.
+---
+ src/basic/path-util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/basic/path-util.c b/src/basic/path-util.c
+index c4e022b3a1..d3b4978239 100644
+--- a/src/basic/path-util.c
++++ b/src/basic/path-util.c
+@@ -637,6 +637,9 @@ int find_binary(const char *name, char **ret) {
+                 if (!j)
+                         return -ENOMEM;
+ 
++                if (is_dir(j, true))
++                        continue;
++
+                 if (access(j, X_OK) >= 0) {
+                         /* Found it! */
+ 
+-- 
+2.26.2
+
+
+From 2f94890f37c13dcd680a63876ed6d34f8e66d0a3 Mon Sep 17 00:00:00 2001
+From: Chris Down <chris@chrisdown.name>
+Date: Wed, 26 Aug 2020 18:49:27 +0100
+Subject: [PATCH 2/2] path: Improve $PATH search directory case
+
+Previously:
+
+1. last_error wouldn't be updated with errors from is_dir;
+2. We'd always issue a stat(), even for binaries without execute;
+3. We used stat() instead of access(), which is cheaper.
+
+This change avoids all of those, by only checking inside X_OK-positive
+case whether access() works on the path with an extra slash appended.
+Thanks to Lennart for the suggestion.
+---
+ src/basic/path-util.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/src/basic/path-util.c b/src/basic/path-util.c
+index d3b4978239..7b0863f749 100644
+--- a/src/basic/path-util.c
++++ b/src/basic/path-util.c
+@@ -637,16 +637,27 @@ int find_binary(const char *name, char **ret) {
+                 if (!j)
+                         return -ENOMEM;
+ 
+-                if (is_dir(j, true))
+-                        continue;
+-
+                 if (access(j, X_OK) >= 0) {
+-                        /* Found it! */
++                        _cleanup_free_ char *with_dash;
+ 
+-                        if (ret)
+-                                *ret = path_simplify(TAKE_PTR(j), false);
++                        with_dash = strjoin(j, "/");
++                        if (!with_dash)
++                                return -ENOMEM;
+ 
+-                        return 0;
++                        /* If this passes, it must be a directory, and so should be skipped. */
++                        if (access(with_dash, X_OK) >= 0)
++                                continue;
++
++                        /**
++                         * We can't just `continue` inverting this case, since we need to update last_error.
++                         */
++                        if (errno == ENOTDIR) {
++                                /* Found it! */
++                                if (ret)
++                                        *ret = path_simplify(TAKE_PTR(j), false);
++
++                                return 0;
++                        }
+                 }
+ 
+                 /* PATH entries which we don't have access to are ignored, as per tradition. */
+-- 
+2.26.2
+
diff --git a/SOURCES/16940_cleanup_socket_econn_handling.patch b/SOURCES/16940_cleanup_socket_econn_handling.patch
new file mode 100644
index 0000000..3de1ab0
--- /dev/null
+++ b/SOURCES/16940_cleanup_socket_econn_handling.patch
@@ -0,0 +1,317 @@
+From 056799e2e147d678e156c5a1fce15b04762f1313 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 1 Sep 2020 23:50:01 +0200
+Subject: [PATCH 1/3] core/socket: we may get ENOTCONN from
+ socket_instantiate_service()
+
+This means that the connection was aborted before we even got to figure out
+what the service name will be. Let's treat this as a non-event and close the
+connection fd without any further messages.
+
+Code last changed in 934ef6a5.
+Reported-by: Thiago Macieira <thiago.macieira@intel.com>
+
+With the patch:
+systemd[1]: foobar.socket: Incoming traffic
+systemd[1]: foobar.socket: Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.
+...
+
+Also, when we get ENOMEM, don't give the hint about missing unit.
+---
+ src/core/socket.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/core/socket.c b/src/core/socket.c
+index ebf5ce3b16..f880040331 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -18,6 +18,7 @@
+ #include "dbus-socket.h"
+ #include "dbus-unit.h"
+ #include "def.h"
++#include "errno-list.h"
+ #include "exit-status.h"
+ #include "fd-util.h"
+ #include "format-util.h"
+@@ -1418,11 +1419,12 @@ int socket_load_service_unit(Socket *s, int cfd, Unit **ret) {
+ 
+         if (cfd >= 0) {
+                 r = instance_from_socket(cfd, s->n_accepted, &instance);
+-                if (r == -ENOTCONN)
+-                        /* ENOTCONN is legitimate if TCP RST was received.
+-                         * This connection is over, but the socket unit lives on. */
++                if (ERRNO_IS_DISCONNECT(r))
++                        /* ENOTCONN is legitimate if TCP RST was received. Other socket families might return
++                         * different errors. This connection is over, but the socket unit lives on. */
+                         return log_unit_debug_errno(UNIT(s), r,
+-                                                    "Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.");
++                                                    "Got %s on incoming socket, assuming aborted connection attempt, ignoring.",
++                                                    errno_to_name(r));
+                 if (r < 0)
+                         return r;
+         }
+@@ -2359,8 +2361,8 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+                 if (!pending) {
+                         if (!UNIT_ISSET(s->service)) {
+-                                log_unit_error(UNIT(s), "Service to activate vanished, refusing activation.");
+-                                r = -ENOENT;
++                                r = log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOENT),
++                                                         "Service to activate vanished, refusing activation.");
+                                 goto fail;
+                         }
+ 
+@@ -2382,8 +2384,10 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+                 if (s->max_connections_per_source > 0) {
+                         r = socket_acquire_peer(s, cfd, &p);
+-                        if (r < 0)
+-                                goto refuse;
++                        if (ERRNO_IS_DISCONNECT(r))
++                                goto notconn;
++                        if (r < 0) /* We didn't have enough resources to acquire peer information, let's fail. */
++                                goto fail;
+                         if (r > 0 && p->n_ref > s->max_connections_per_source) {
+                                 _cleanup_free_ char *t = NULL;
+ 
+@@ -2397,6 +2401,8 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 }
+ 
+                 r = socket_instantiate_service(s, cfd);
++                if (ERRNO_IS_DISCONNECT(r))
++                        goto notconn;
+                 if (r < 0)
+                         goto fail;
+ 
+@@ -2406,6 +2412,8 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 s->n_accepted++;
+ 
+                 r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
++                if (ERRNO_IS_DISCONNECT(r))
++                        goto notconn;
+                 if (r < 0)
+                         goto fail;
+ 
+@@ -2430,13 +2438,18 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+ refuse:
+         s->n_refused++;
++notconn:
+         safe_close(cfd);
+         return;
+ 
+ fail:
+-        log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
+-                         cfd >= 0 ? "template" : "non-template",
+-                         bus_error_message(&error, r));
++        if (ERRNO_IS_RESOURCE(r))
++                log_unit_warning(UNIT(s), "Failed to queue service startup job: %s",
++                                 bus_error_message(&error, r));
++        else
++                log_unit_warning(UNIT(s), "Failed to queue service startup job (Maybe the service file is missing or not a %s unit?): %s",
++                                 cfd >= 0 ? "template" : "non-template",
++                                 bus_error_message(&error, r));
+ 
+         socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
+         safe_close(cfd);
+-- 
+2.26.2
+
+
+From 86f9af3eb8bea0bea86bb027cb341e6b13beecb5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 2 Sep 2020 18:04:10 +0200
+Subject: [PATCH 2/3] core/socket: fold socket_instantiate_service() into
+ socket_enter_running()
+
+socket_instantiate_service() was doing unit_ref_set(), and the caller was
+immediately doing unit_ref_unset(). After we get rid of this, it doesn't seem
+worth it to have two functions.
+---
+ src/core/socket.c | 39 ++++++++++-----------------------------
+ 1 file changed, 10 insertions(+), 29 deletions(-)
+
+diff --git a/src/core/socket.c b/src/core/socket.c
+index f880040331..5e128d9fef 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -206,27 +206,6 @@ static int socket_arm_timer(Socket *s, usec_t usec) {
+         return 0;
+ }
+ 
+-static int socket_instantiate_service(Socket *s, int cfd) {
+-        Unit *service;
+-        int r;
+-
+-        assert(s);
+-        assert(cfd >= 0);
+-
+-        /* This fills in s->service if it isn't filled in yet. For Accept=yes sockets we create the next
+-         * connection service here. For Accept=no this is mostly a NOP since the service is figured out at
+-         * load time anyway. */
+-
+-        r = socket_load_service_unit(s, cfd, &service);
+-        if (r < 0)
+-                return r;
+-
+-        unit_ref_set(&s->service, UNIT(s), service);
+-
+-        return unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service,
+-                                         false, UNIT_DEPENDENCY_IMPLICIT);
+-}
+-
+ static bool have_non_accept_socket(Socket *s) {
+         SocketPort *p;
+ 
+@@ -2374,7 +2353,7 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 socket_set_state(s, SOCKET_RUNNING);
+         } else {
+                 _cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
+-                Service *service;
++                Unit *service;
+ 
+                 if (s->n_connections >= s->max_connections) {
+                         log_unit_warning(UNIT(s), "Too many incoming connections (%u), dropping connection.",
+@@ -2400,18 +2379,20 @@ static void socket_enter_running(Socket *s, int cfd) {
+                         }
+                 }
+ 
+-                r = socket_instantiate_service(s, cfd);
++                r = socket_load_service_unit(s, cfd, &service);
+                 if (ERRNO_IS_DISCONNECT(r))
+                         goto notconn;
+                 if (r < 0)
+                         goto fail;
+ 
+-                service = SERVICE(UNIT_DEREF(s->service));
+-                unit_ref_unset(&s->service);
++                r = unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service,
++                                              false, UNIT_DEPENDENCY_IMPLICIT);
++                if (r < 0)
++                        goto fail;
+ 
+                 s->n_accepted++;
+ 
+-                r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
++                r = service_set_socket_fd(SERVICE(service), cfd, s, s->selinux_context_from_net);
+                 if (ERRNO_IS_DISCONNECT(r))
+                         goto notconn;
+                 if (r < 0)
+@@ -2420,13 +2401,13 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 TAKE_FD(cfd); /* We passed ownership of the fd to the service now. Forget it here. */
+                 s->n_connections++;
+ 
+-                service->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */
++                SERVICE(service)->peer = TAKE_PTR(p); /* Pass ownership of the peer reference */
+ 
+-                r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, NULL, &error, NULL);
++                r = manager_add_job(UNIT(s)->manager, JOB_START, service, JOB_REPLACE, NULL, &error, NULL);
+                 if (r < 0) {
+                         /* We failed to activate the new service, but it still exists. Let's make sure the
+                          * service closes and forgets the connection fd again, immediately. */
+-                        service_close_socket_fd(service);
++                        service_close_socket_fd(SERVICE(service));
+                         goto fail;
+                 }
+ 
+-- 
+2.26.2
+
+
+From b7e9403a4c6220478980555ef40905d030b307f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 2 Sep 2020 18:17:14 +0200
+Subject: [PATCH 3/3] core/socket: use _cleanup_ to close the connection fd
+
+Removing the gotos would lead to a lot of duplicated code, so I left them
+as they were.
+---
+ src/core/socket.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/src/core/socket.c b/src/core/socket.c
+index 5e128d9fef..a77a297cf5 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -2296,13 +2296,14 @@ static void flush_ports(Socket *s) {
+         }
+ }
+ 
+-static void socket_enter_running(Socket *s, int cfd) {
++static void socket_enter_running(Socket *s, int cfd_in) {
++        /* Note that this call takes possession of the connection fd passed. It either has to assign it
++         * somewhere or close it. */
++        _cleanup_close_ int cfd = cfd_in;
++
+         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
+         int r;
+ 
+-        /* Note that this call takes possession of the connection fd passed. It either has to assign it somewhere or
+-         * close it. */
+-
+         assert(s);
+ 
+         /* We don't take connections anymore if we are supposed to shut down anyway */
+@@ -2312,9 +2313,8 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+                 if (cfd >= 0)
+                         goto refuse;
+-                else
+-                        flush_ports(s);
+ 
++                flush_ports(s);
+                 return;
+         }
+ 
+@@ -2364,7 +2364,7 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 if (s->max_connections_per_source > 0) {
+                         r = socket_acquire_peer(s, cfd, &p);
+                         if (ERRNO_IS_DISCONNECT(r))
+-                                goto notconn;
++                                return;
+                         if (r < 0) /* We didn't have enough resources to acquire peer information, let's fail. */
+                                 goto fail;
+                         if (r > 0 && p->n_ref > s->max_connections_per_source) {
+@@ -2381,7 +2381,7 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+                 r = socket_load_service_unit(s, cfd, &service);
+                 if (ERRNO_IS_DISCONNECT(r))
+-                        goto notconn;
++                        return;
+                 if (r < 0)
+                         goto fail;
+ 
+@@ -2394,7 +2394,7 @@ static void socket_enter_running(Socket *s, int cfd) {
+ 
+                 r = service_set_socket_fd(SERVICE(service), cfd, s, s->selinux_context_from_net);
+                 if (ERRNO_IS_DISCONNECT(r))
+-                        goto notconn;
++                        return;
+                 if (r < 0)
+                         goto fail;
+ 
+@@ -2415,12 +2415,11 @@ static void socket_enter_running(Socket *s, int cfd) {
+                 unit_add_to_dbus_queue(UNIT(s));
+         }
+ 
++        TAKE_FD(cfd);
+         return;
+ 
+ refuse:
+         s->n_refused++;
+-notconn:
+-        safe_close(cfd);
+         return;
+ 
+ fail:
+@@ -2433,7 +2432,6 @@ fail:
+                                  bus_error_message(&error, r));
+ 
+         socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
+-        safe_close(cfd);
+ }
+ 
+ static void socket_run_next(Socket *s) {
+-- 
+2.26.2
+
diff --git a/SOURCES/17031_propagate_start_limit_hit.patch b/SOURCES/17031_propagate_start_limit_hit.patch
new file mode 100644
index 0000000..4490100
--- /dev/null
+++ b/SOURCES/17031_propagate_start_limit_hit.patch
@@ -0,0 +1,233 @@
+From 7a481a17ad01c7be526829a835f7da3d6b71577f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 11 Sep 2020 19:49:33 +0200
+Subject: [PATCH 1/3] core: propagate triggered unit in more load states
+
+In 4c2ef3276735ad9f7fccf33f5bdcbe7d8751e7ec we enabled propagating
+triggered unit state to the triggering unit for service units in more
+load states, so that we don't accidentally stop tracking state
+correctly.
+
+Do the same for our other triggering unit states: automounts, paths, and
+timers.
+
+Also, make this an assertion rather than a simple test. After all it
+should never happen that we get called for half-loaded units or units of
+the wrong type. The load routines should already have made this
+impossible.
+---
+ src/core/automount.c   | 4 ++--
+ src/core/path.c        | 7 +++----
+ src/core/socket.c      | 9 ++-------
+ src/core/timer.c       | 4 ++--
+ src/core/transaction.c | 2 +-
+ src/core/unit.h        | 4 ++++
+ 6 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/src/core/automount.c b/src/core/automount.c
+index 1f05198766..73f0fb8c71 100644
+--- a/src/core/automount.c
++++ b/src/core/automount.c
+@@ -507,8 +507,8 @@ static void automount_trigger_notify(Unit *u, Unit *other) {
+         assert(other);
+ 
+         /* Filter out invocations with bogus state */
+-        if (other->load_state != UNIT_LOADED || other->type != UNIT_MOUNT)
+-                return;
++        assert(UNIT_IS_LOAD_COMPLETE(other->load_state));
++        assert(other->type == UNIT_MOUNT);
+ 
+         /* Don't propagate state changes from the mount if we are already down */
+         if (!IN_SET(a->state, AUTOMOUNT_WAITING, AUTOMOUNT_RUNNING))
+diff --git a/src/core/path.c b/src/core/path.c
+index 1c3c28e341..8ffec72ede 100644
+--- a/src/core/path.c
++++ b/src/core/path.c
+@@ -748,11 +748,10 @@ static void path_trigger_notify(Unit *u, Unit *other) {
+         assert(u);
+         assert(other);
+ 
+-        /* Invoked whenever the unit we trigger changes state or gains
+-         * or loses a job */
++        /* Invoked whenever the unit we trigger changes state or gains or loses a job */
+ 
+-        if (other->load_state != UNIT_LOADED)
+-                return;
++        /* Filter out invocations with bogus state */
++        assert(UNIT_IS_LOAD_COMPLETE(other->load_state));
+ 
+         if (p->state == PATH_RUNNING &&
+             UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) {
+diff --git a/src/core/socket.c b/src/core/socket.c
+index 127195c9fe..ebf5ce3b16 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -3274,13 +3274,8 @@ static void socket_trigger_notify(Unit *u, Unit *other) {
+         assert(other);
+ 
+         /* Filter out invocations with bogus state */
+-        if (!IN_SET(other->load_state,
+-                    UNIT_LOADED,
+-                    UNIT_NOT_FOUND,
+-                    UNIT_BAD_SETTING,
+-                    UNIT_ERROR,
+-                    UNIT_MASKED) || other->type != UNIT_SERVICE)
+-                return;
++        assert(UNIT_IS_LOAD_COMPLETE(other->load_state));
++        assert(other->type == UNIT_SERVICE);
+ 
+         /* Don't propagate state changes from the service if we are already down */
+         if (!IN_SET(s->state, SOCKET_RUNNING, SOCKET_LISTENING))
+diff --git a/src/core/timer.c b/src/core/timer.c
+index 03a9c14f76..94388f0727 100644
+--- a/src/core/timer.c
++++ b/src/core/timer.c
+@@ -746,8 +746,8 @@ static void timer_trigger_notify(Unit *u, Unit *other) {
+         assert(u);
+         assert(other);
+ 
+-        if (other->load_state != UNIT_LOADED)
+-                return;
++        /* Filter out invocations with bogus state */
++        assert(UNIT_IS_LOAD_COMPLETE(other->load_state));
+ 
+         /* Reenable all timers that depend on unit state */
+         LIST_FOREACH(value, v, t->values)
+diff --git a/src/core/transaction.c b/src/core/transaction.c
+index 0fa419787e..befac19788 100644
+--- a/src/core/transaction.c
++++ b/src/core/transaction.c
+@@ -949,7 +949,7 @@ int transaction_add_job_and_dependencies(
+ 
+         /* Safety check that the unit is a valid state, i.e. not in UNIT_STUB or UNIT_MERGED which should only be set
+          * temporarily. */
+-        if (!IN_SET(unit->load_state, UNIT_LOADED, UNIT_ERROR, UNIT_NOT_FOUND, UNIT_BAD_SETTING, UNIT_MASKED))
++        if (!UNIT_IS_LOAD_COMPLETE(unit->load_state))
+                 return sd_bus_error_setf(e, BUS_ERROR_LOAD_FAILED, "Unit %s is not loaded properly.", unit->id);
+ 
+         if (type != JOB_STOP) {
+diff --git a/src/core/unit.h b/src/core/unit.h
+index 4130cd50a9..ae2ce74243 100644
+--- a/src/core/unit.h
++++ b/src/core/unit.h
+@@ -49,6 +49,10 @@ static inline bool UNIT_IS_INACTIVE_OR_FAILED(UnitActiveState t) {
+         return IN_SET(t, UNIT_INACTIVE, UNIT_FAILED);
+ }
+ 
++static inline bool UNIT_IS_LOAD_COMPLETE(UnitLoadState t) {
++        return t >= 0 && t < _UNIT_LOAD_STATE_MAX && t != UNIT_STUB && t != UNIT_MERGED;
++}
++
+ /* Stores the 'reason' a dependency was created as a bit mask, i.e. due to which configuration source it came to be. We
+  * use this so that we can selectively flush out parts of dependencies again. Note that the same dependency might be
+  * created as a result of multiple "reasons", hence the bitmask. */
+-- 
+2.26.2
+
+
+From 6b083e21c2bfdba79d43d5d56f02dc795dae9368 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 11 Sep 2020 19:57:09 +0200
+Subject: [PATCH 2/3] core: propagate unit start limit hit state to triggering
+ path unit
+
+We already do this for socket and automount units, do it for path units
+too: if the triggered service keeps hitting the start limit, then fail
+the triggering unit too, so that we don#t busy loop forever.
+
+(Note that this leaves only timer units out in the cold for this kind of
+protection, but it shouldn't matter there, as they are naturally
+protected against busy loops: they are scheduled by time anyway).
+
+Fixes: #16669
+---
+ src/core/path.c | 15 +++++++++++++++
+ src/core/path.h |  1 +
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/core/path.c b/src/core/path.c
+index 8ffec72ede..4f4e7100cf 100644
+--- a/src/core/path.c
++++ b/src/core/path.c
+@@ -753,6 +753,20 @@ static void path_trigger_notify(Unit *u, Unit *other) {
+         /* Filter out invocations with bogus state */
+         assert(UNIT_IS_LOAD_COMPLETE(other->load_state));
+ 
++        /* Don't propagate state changes from the triggered unit if we are already down */
++        if (!IN_SET(p->state, PATH_WAITING, PATH_RUNNING))
++                return;
++
++        /* Propagate start limit hit state */
++        if (other->start_limit_hit) {
++                path_enter_dead(p, PATH_FAILURE_UNIT_START_LIMIT_HIT);
++                return;
++        }
++
++        /* Don't propagate anything if there's still a job queued */
++        if (other->job)
++                return;
++
+         if (p->state == PATH_RUNNING &&
+             UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) {
+                 log_unit_debug(UNIT(p), "Got notified about unit deactivation.");
+@@ -789,6 +803,7 @@ static const char* const path_result_table[_PATH_RESULT_MAX] = {
+         [PATH_SUCCESS] = "success",
+         [PATH_FAILURE_RESOURCES] = "resources",
+         [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
++        [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit",
+ };
+ 
+ DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult);
+diff --git a/src/core/path.h b/src/core/path.h
+index 9e2836535a..4043650fe0 100644
+--- a/src/core/path.h
++++ b/src/core/path.h
+@@ -45,6 +45,7 @@ typedef enum PathResult {
+         PATH_SUCCESS,
+         PATH_FAILURE_RESOURCES,
+         PATH_FAILURE_START_LIMIT_HIT,
++        PATH_FAILURE_UNIT_START_LIMIT_HIT,
+         _PATH_RESULT_MAX,
+         _PATH_RESULT_INVALID = -1
+ } PathResult;
+-- 
+2.26.2
+
+
+From 32c556c612ff38b09fe7d14d1840aceb2d76360d Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 14 Sep 2020 12:59:38 +0200
+Subject: [PATCH 3/3] unit-def: drop pointless 0 initialization of first enum
+ value
+
+This is implied in C and we generally don't bother with this, so don't
+bother with this here either.
+---
+ src/basic/unit-def.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/unit-def.h b/src/basic/unit-def.h
+index 53419ecd8a..1fab6c78ab 100644
+--- a/src/basic/unit-def.h
++++ b/src/basic/unit-def.h
+@@ -9,7 +9,7 @@
+  * when other criteria (cpu weight, nice level) are identical.
+  * In this case service units have the highest priority. */
+ typedef enum UnitType {
+-        UNIT_SERVICE = 0,
++        UNIT_SERVICE,
+         UNIT_MOUNT,
+         UNIT_SWAP,
+         UNIT_SOCKET,
+@@ -25,7 +25,7 @@ typedef enum UnitType {
+ } UnitType;
+ 
+ typedef enum UnitLoadState {
+-        UNIT_STUB = 0,
++        UNIT_STUB,
+         UNIT_LOADED,
+         UNIT_NOT_FOUND,    /* error condition #1: unit file not found */
+         UNIT_BAD_SETTING,  /* error condition #2: we couldn't parse some essential unit file setting */
+-- 
+2.26.2
+
diff --git a/SOURCES/17082_nspawn_tty_tweaks.patch b/SOURCES/17082_nspawn_tty_tweaks.patch
new file mode 100644
index 0000000..adee19a
--- /dev/null
+++ b/SOURCES/17082_nspawn_tty_tweaks.patch
@@ -0,0 +1,316 @@
+From 0ead15331dc9414e7d4b3f0b96ed1908ceaf8f8b Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 16 Sep 2020 22:11:48 +0200
+Subject: [PATCH 1/5] nspawn: check return of setsid()
+
+Let's verify that everything works the way we expect it to work, hence
+check setsid() return code.
+---
+ src/nspawn/nspawn-stub-pid1.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-stub-pid1.c b/src/nspawn/nspawn-stub-pid1.c
+index d86dd23185..f785a3b248 100644
+--- a/src/nspawn/nspawn-stub-pid1.c
++++ b/src/nspawn/nspawn-stub-pid1.c
+@@ -66,7 +66,10 @@ int stub_pid1(sd_id128_t uuid) {
+         if (pid == 0) {
+                 /* Return in the child */
+                 assert_se(sigprocmask(SIG_SETMASK, &oldmask, NULL) >= 0);
+-                setsid();
++
++                if (setsid() < 0)
++                        return log_error_errno(errno, "Failed to become session leader in payload process: %m");
++
+                 return 0;
+         }
+ 
+-- 
+2.26.2
+
+
+From b4fa908fbdcbcf01c96e983460689800b8bb76af Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 16 Sep 2020 22:12:29 +0200
+Subject: [PATCH 2/5] nspawn: print log notice when we are invoked from a tty
+ but in "pipe" mode
+
+If people do this then things are weird, and they should probably use
+--console=interactive (i.e. the default) instead.
+
+Prompted-by: #17070
+---
+ src/nspawn/nspawn.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 3b9493f232..efc541f512 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -272,9 +272,15 @@ static int handle_arg_console(const char *arg) {
+                 arg_console_mode = CONSOLE_READ_ONLY;
+         else if (streq(arg, "passive"))
+                 arg_console_mode = CONSOLE_PASSIVE;
+-        else if (streq(arg, "pipe"))
++        else if (streq(arg, "pipe")) {
++                if (isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0)
++                        log_full(arg_quiet ? LOG_DEBUG : LOG_NOTICE,
++                                 "Console mode 'pipe' selected, but standard input/output are connected to an interactive TTY. "
++                                 "Most likely you want to use 'interactive' console mode for proper interactivity and shell job control. "
++                                 "Proceeding anyway.");
++
+                 arg_console_mode = CONSOLE_PIPE;
+-        else
++        } else
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg);
+ 
+         arg_settings_mask |= SETTING_CONSOLE_MODE;
+-- 
+2.26.2
+
+
+From 19db1706dadcec4f4c44f9abf8dc33a336f93326 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 16 Sep 2020 22:16:10 +0200
+Subject: [PATCH 3/5] nspawn: fix fd leak on failure path
+
+---
+ src/nspawn/nspawn.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index efc541f512..15dbdbe738 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -2178,7 +2178,7 @@ static int setup_pts(const char *dest) {
+ }
+ 
+ static int setup_stdio_as_dev_console(void) {
+-        int terminal;
++        _cleanup_close_ int terminal = -1;
+         int r;
+ 
+         terminal = open_terminal("/dev/console", O_RDWR);
+@@ -2193,6 +2193,7 @@ static int setup_stdio_as_dev_console(void) {
+ 
+         /* invalidates 'terminal' on success and failure */
+         r = rearrange_stdio(terminal, terminal, terminal);
++        TAKE_FD(terminal);
+         if (r < 0)
+                 return log_error_errno(r, "Failed to move console to stdin/stdout/stderr: %m");
+ 
+-- 
+2.26.2
+
+
+From d297a871ef720227af845fe8b0f1e0fe7560b433 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 16 Sep 2020 22:34:43 +0200
+Subject: [PATCH 4/5] nspawn: don't become TTY controller just to undo it later
+ again
+
+Instead of first becoming a controlling process of the payload pty
+as side effect of opening it (without O_NOCTTY), and then possibly
+dropping it again, let's do it cleanly an reverse the logic: let's open
+the pty without becoming its controller first. Only after everything
+went the way we wanted it to go become the controller explicitly.
+
+This has the benefit that the PID 1 stub process we run (as effect of
+--as-pid2) doesn't have to lose the tty explicitly, but can just
+continue running with things. And we explicitly make the tty controlling
+right before invoking actual payload.
+
+In order to make sure everything works as expected validate that the
+stub PID 1 in the container really has no conrolling tty by issuing the
+TIOCNOTTY tty and expecting ENOTTY, and log about it.
+
+This shouldn't change behaviour much, it just makes thins a bit cleaner,
+in particular as we'll not trigger SIGHUP on ourselves (since we are
+controller and session leader) due to TIOCNOTTY which we then have to
+explicitly ignore.
+---
+ src/nspawn/nspawn-stub-pid1.c | 12 ++++++------
+ src/nspawn/nspawn.c           | 16 +++++++++++++---
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/src/nspawn/nspawn-stub-pid1.c b/src/nspawn/nspawn-stub-pid1.c
+index f785a3b248..60d7439fb1 100644
+--- a/src/nspawn/nspawn-stub-pid1.c
++++ b/src/nspawn/nspawn-stub-pid1.c
+@@ -53,12 +53,6 @@ int stub_pid1(sd_id128_t uuid) {
+         assert_se(sigfillset(&fullmask) >= 0);
+         assert_se(sigprocmask(SIG_BLOCK, &fullmask, &oldmask) >= 0);
+ 
+-        /* Surrender the terminal this stub may control so that child processes can have a controlling terminal
+-         * without resorting to setsid hacks. */
+-        r = ioctl(STDIN_FILENO, TIOCNOTTY);
+-        if (r < 0 && errno != ENOTTY)
+-                return log_error_errno(errno, "Failed to surrender controlling terminal: %m");
+-
+         pid = fork();
+         if (pid < 0)
+                 return log_error_errno(errno, "Failed to fork child pid: %m");
+@@ -79,6 +73,12 @@ int stub_pid1(sd_id128_t uuid) {
+         (void) close_all_fds(NULL, 0);
+         log_open();
+ 
++        if (ioctl(STDIN_FILENO, TIOCNOTTY) < 0) {
++                if (errno != ENOTTY)
++                        log_warning_errno(errno, "Unexpected error from TIOCNOTTY ioctl in init stub process, ignoring: %m");
++        } else
++                log_warning("Expected TIOCNOTTY to fail, but it succeeded in init stub process, ignoring.");
++
+         /* Flush out /proc/self/environ, so that we don't leak the environment from the host into the container. Also,
+          * set $container= and $container_uuid= so that clients in the container that query it from /proc/1/environ
+          * find them set. */
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 15dbdbe738..783147f122 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -11,10 +11,12 @@
+ #endif
+ #include <stdlib.h>
+ #include <sys/file.h>
++#include <sys/ioctl.h>
+ #include <sys/personality.h>
+ #include <sys/prctl.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <termios.h>
+ #include <unistd.h>
+ 
+ #include "sd-bus.h"
+@@ -2181,7 +2183,9 @@ static int setup_stdio_as_dev_console(void) {
+         _cleanup_close_ int terminal = -1;
+         int r;
+ 
+-        terminal = open_terminal("/dev/console", O_RDWR);
++        /* We open the TTY in O_NOCTTY mode, so that we do not become controller yet. We'll do that later
++         * explicitly, if we are configured to. */
++        terminal = open_terminal("/dev/console", O_RDWR|O_NOCTTY);
+         if (terminal < 0)
+                 return log_error_errno(terminal, "Failed to open console: %m");
+ 
+@@ -3213,8 +3217,7 @@ static int inner_child(
+          * wait until the parent is ready with the
+          * setup, too... */
+         if (!barrier_place_and_sync(barrier)) /* #5 */
+-                return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
+-                                       "Parent died too early");
++                return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early");
+ 
+         if (arg_chdir)
+                 if (chdir(arg_chdir) < 0)
+@@ -3226,6 +3229,13 @@ static int inner_child(
+                         return r;
+         }
+ 
++        if (arg_console_mode != CONSOLE_PIPE) {
++                /* So far our pty wasn't controlled by any process. Finally, it's time to change that, if we
++                 * are configured for that. Acquire it as controlling tty. */
++                if (ioctl(STDIN_FILENO, TIOCSCTTY) < 0)
++                        return log_error_errno(errno, "Failed to acquire controlling TTY: %m");
++        }
++
+         log_debug("Inner child completed, invoking payload.");
+ 
+         /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
+-- 
+2.26.2
+
+
+From 196b94c2db3f0b763480e98df98f288bcd044a6e Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 17 Sep 2020 16:26:14 +0200
+Subject: [PATCH 5/5] nspawn: add --console=autopipe mode
+
+By default we'll run a container in --console=interactive and
+--console=read-only mode depending if we are invoked on a tty or not so
+that the container always gets a /dev/console allocated, i.e is always
+suitable to run a full init system /as those typically expect a
+/dev/console to exist).
+
+With the new --console=autopipe mode we do something similar, but
+slightly different: when not invoked on a tty we'll use --console=pipe.
+This means, if you invoke some tool in a container with this you'll get
+full inetractivity if you invoke it on a tty but things will also be
+very nicely pipeable. OTOH you cannot invoke a full init system like
+this, because you might or might not become a /dev/console this way...
+
+Prompted-by: #17070
+
+(I named this "autopipe" rather than "auto" or so, since the default
+mode probably should be named "auto" one day if we add a name for it,
+and this is so similar to "auto" except that it uses pipes in the
+non-tty case).
+---
+ man/systemd-nspawn.xml | 21 ++++++++++++---------
+ src/nspawn/nspawn.c    | 12 +++++++++---
+ 2 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
+index 69558ac85c..b2c2a5006c 100644
+--- a/man/systemd-nspawn.xml
++++ b/man/systemd-nspawn.xml
+@@ -1370,15 +1370,18 @@
+ 
+         <listitem><para>Configures how to set up standard input, output and error output for the container
+         payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of
+-        <option>interactive</option>, <option>read-only</option>, <option>passive</option>, or
+-        <option>pipe</option>. If <option>interactive</option>, a pseudo-TTY is allocated and made available
+-        as <filename>/dev/console</filename> in the container. It is then bi-directionally connected to the
+-        standard input and output passed to <command>systemd-nspawn</command>. <option>read-only</option> is
+-        similar but only the output of the container is propagated and no input from the caller is read. If
+-        <option>passive</option>, a pseudo TTY is allocated, but it is not connected anywhere. Finally, in
+-        <option>pipe</option> mode no pseudo TTY is allocated, but the standard input, output and error
+-        output file descriptors passed to <command>systemd-nspawn</command> are passed on — as they are — to
+-        the container payload, see the following paragraph. Defaults to <option>interactive</option> if
++        <option>interactive</option>, <option>read-only</option>, <option>passive</option>,
++        <option>pipe</option> or <option>autopipe</option>. If <option>interactive</option>, a pseudo-TTY is
++        allocated and made available as <filename>/dev/console</filename> in the container. It is then
++        bi-directionally connected to the standard input and output passed to
++        <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the
++        container is propagated and no input from the caller is read. If <option>passive</option>, a pseudo
++        TTY is allocated, but it is not connected anywhere. In <option>pipe</option> mode no pseudo TTY is
++        allocated, but the standard input, output and error output file descriptors passed to
++        <command>systemd-nspawn</command> are passed on — as they are — to the container payload, see the
++        following paragraph. Finally, <option>autopipe</option> mode operates like
++        <option>interactive</option> when <command>systemd-nspawn</command> is invoked on a terminal, and
++        like <option>pipe</option> otherwise. Defaults to <option>interactive</option> if
+         <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option>
+         otherwise.</para>
+ 
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 783147f122..8837371232 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -261,10 +261,11 @@ STATIC_DESTRUCTOR_REGISTER(arg_sysctl, strv_freep);
+ 
+ static int handle_arg_console(const char *arg) {
+         if (streq(arg, "help")) {
+-                puts("interactive\n"
+-                     "read-only\n"
++                puts("autopipe\n"
++                     "interactive\n"
+                      "passive\n"
+-                     "pipe");
++                     "pipe\n"
++                     "read-only");
+                 return 0;
+         }
+ 
+@@ -282,6 +283,11 @@ static int handle_arg_console(const char *arg) {
+                                  "Proceeding anyway.");
+ 
+                 arg_console_mode = CONSOLE_PIPE;
++        } else if (streq(arg, "autopipe")) {
++                if (isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0)
++                        arg_console_mode = CONSOLE_INTERACTIVE;
++                else
++                        arg_console_mode = CONSOLE_PIPE;
+         } else
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg);
+ 
+-- 
+2.26.2
+
diff --git a/SOURCES/20-grubby.install b/SOURCES/20-grubby.install
new file mode 100755
index 0000000..e059125
--- /dev/null
+++ b/SOURCES/20-grubby.install
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+if [[ ! -x /sbin/new-kernel-pkg ]]; then
+    exit 0
+fi
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+KERNEL_DIR="${KERNEL_IMAGE%/*}"
+[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
+case "$COMMAND" in
+    add)
+        if [[ "${KERNEL_DIR}" != "/boot" ]]; then
+            for i in \
+                "$KERNEL_IMAGE" \
+                    "$KERNEL_DIR"/System.map \
+                    "$KERNEL_DIR"/config \
+                    "$KERNEL_DIR"/zImage.stub \
+                    "$KERNEL_DIR"/dtb \
+                ; do
+                [[ -e "$i" ]] || continue
+                cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
+                command -v restorecon &>/dev/null && \
+                    restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
+            done
+            # hmac is .vmlinuz-<version>.hmac so needs a special treatment
+            i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
+            if [[ -e "$i" ]]; then
+                cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+                command -v restorecon &>/dev/null && \
+                    restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+            fi
+        fi
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
+        ;;
+    remove)
+        /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
+        ;;
+    *)
+        ;;
+esac
+
+# skip other installation plugins, if we can't find a boot loader spec conforming setup
+if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
+    exit 77
+fi
diff --git a/SOURCES/20-yama-ptrace.conf b/SOURCES/20-yama-ptrace.conf
new file mode 100644
index 0000000..4fbaf97
--- /dev/null
+++ b/SOURCES/20-yama-ptrace.conf
@@ -0,0 +1,42 @@
+# The ptrace system call is used for interprocess services,
+# communication and introspection (like synchronisation, signaling,
+# debugging, tracing and profiling) of processes.
+#
+# Usage of ptrace is restricted by normal user permissions. Normal
+# unprivileged processes cannot use ptrace on processes that they
+# cannot send signals to or processes that are running set-uid or
+# set-gid. Nevertheless, processes running under the same uid will
+# usually be able to ptrace one another.
+#
+# Fedora enables the Yama security mechanism which restricts ptrace
+# even further. Sysctl setting kernel.yama.ptrace_scope can have one
+# of the following values:
+#
+# 0 - Normal ptrace security permissions.
+# 1 - Restricted ptrace. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+# For more information see Documentation/security/Yama.txt in the
+# kernel sources.
+#
+# The default is 1., which allows tracing of child processes, but
+# forbids tracing of arbitrary processes. This allows programs like
+# gdb or strace to work when the most common way of having the
+# debugger start the debuggee is used:
+#    gdb /path/to/program ...
+# Attaching to already running programs is NOT allowed:
+#    gdb -p ...
+# This default setting is suitable for the common case, because it
+# reduces the risk that one hacked process can be used to attack other
+# processes. (For example, a hacked firefox process in a user session
+# will not be able to ptrace the keyring process and extract passwords
+# stored only in memory.)
+#
+# Developers and administrators might want to disable those protections
+# to be able to attach debuggers to existing processes. Use
+#   sysctl kernel.yama.ptrace_scope=0
+# for change the setting temporarily, or copy this file to
+# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
+
+kernel.yama.ptrace_scope = 0
diff --git a/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch b/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch
new file mode 100644
index 0000000..3bfe4ef
--- /dev/null
+++ b/SOURCES/FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch
@@ -0,0 +1,13 @@
+diff --git a/rules.d/60-persistent-storage.rules b/rules.d/60-persistent-storage.rules
+index 1d8880e..46ea568 100644
+--- a/rules.d/60-persistent-storage.rules
++++ b/rules.d/60-persistent-storage.rules
+@@ -7,7 +7,7 @@ ACTION=="remove", GOTO="persistent_storage_end"
+ ENV{UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG}=="1", GOTO="persistent_storage_end"
+ 
+ SUBSYSTEM!="block", GOTO="persistent_storage_end"
+-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*|ubi*|scm*|pmem*|nbd*|zd*", GOTO="persistent_storage_end"
++KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|fio*|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*|ubi*|scm*|pmem*|nbd*|zd*", GOTO="persistent_storage_end"
+ 
+ # ignore partitions that span the entire disk
+ TEST=="whole_disk", GOTO="persistent_storage_end"
diff --git a/SOURCES/macros.sysusers b/SOURCES/macros.sysusers
new file mode 100644
index 0000000..d8d8c1d
--- /dev/null
+++ b/SOURCES/macros.sysusers
@@ -0,0 +1,10 @@
+# RPM macros for packages creating system accounts
+#
+# Turn a sysusers.d file into macros specified by
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
+
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}
diff --git a/SOURCES/purge-nobody-user b/SOURCES/purge-nobody-user
new file mode 100755
index 0000000..66404fe
--- /dev/null
+++ b/SOURCES/purge-nobody-user
@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi
diff --git a/SOURCES/split-files.py b/SOURCES/split-files.py
new file mode 100644
index 0000000..f3e3aa6
--- /dev/null
+++ b/SOURCES/split-files.py
@@ -0,0 +1,128 @@
+import re, sys, os, collections
+
+buildroot = sys.argv[1]
+known_files = sys.stdin.read().splitlines()
+known_files = {line.split()[-1]:line for line in known_files}
+
+def files(root):
+    os.chdir(root)
+    todo = collections.deque(['.'])
+    while todo:
+        n = todo.pop()
+        files = os.scandir(n)
+        for file in files:
+            yield file
+            if file.is_dir() and not file.is_symlink():
+                todo.append(file)
+
+o_libs = open('.file-list-libs', 'w')
+o_udev = open('.file-list-udev', 'w')
+o_pam = open('.file-list-pam', 'w')
+o_rpm_macros = open('.file-list-rpm-macros', 'w')
+o_devel = open('.file-list-devel', 'w')
+o_container = open('.file-list-container', 'w')
+o_remote = open('.file-list-remote', 'w')
+o_tests = open('.file-list-tests', 'w')
+o_rest = open('.file-list-rest', 'w')
+for file in files(buildroot):
+    n = file.path[1:]
+    if re.match(r'''/usr/(share|include)$|
+                    /usr/share/man(/man.|)$|
+                    /usr/share/zsh(/site-functions|)$|
+                    /usr/share/dbus-1$|
+                    /usr/share/dbus-1/system.d$|
+                    /usr/share/dbus-1/(system-|)services$|
+                    /usr/share/polkit-1(/actions|/rules.d|)$|
+                    /usr/share/pkgconfig$|
+                    /usr/share/bash-completion(/completions|)$|
+                    /usr(/lib|/lib64|/bin|/sbin|)$|
+                    /usr/lib.*/(security|pkgconfig)$|
+                    /usr/lib/rpm(/macros.d|)$|
+                    /usr/lib/firewalld(/services|)$|
+                    /usr/share/(locale|licenses|doc)|             # no $
+                    /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
+                    /etc/(dnf|dnf/protected.d)$|
+                    /usr/(src|lib/debug)|                         # no $
+                    /run$|
+                    /var(/cache|/log|/lib|/run|)$
+    ''', n, re.X):
+        continue
+    if '/security/pam_' in n or '/man8/pam_' in n:
+        o = o_pam
+    elif '/rpm/' in n:
+        o = o_rpm_macros
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
+        o = o_devel
+    elif '/usr/lib/systemd/tests' in n:
+        o = o_tests
+    elif re.search(r'''journal-(remote|gateway|upload)|
+                       systemd-remote\.conf|
+                       /usr/share/systemd/gatewayd|
+                       /var/log/journal/remote
+    ''', n, re.X):
+        o = o_remote
+    elif re.search(r'''mymachines|
+                       machinectl|
+                       systemd-nspawn|
+                       import-pubring.gpg|
+                       systemd-(machined|import|pull)|
+                       /machine.slice|
+                       /machines.target|
+                       var-lib-machines.mount|
+                       network/80-container-v[ez]|
+                       org.freedesktop.(import|machine)1
+    ''', n, re.X):
+        o = o_container
+    elif '.so.' in n:
+        o = o_libs
+    elif re.search(r'''udev(?!\.pc)|
+                       hwdb|
+                       bootctl|
+                       sd-boot|systemd-boot\.|loader.conf|
+                       bless-boot|
+                       boot-system-token|
+                       kernel-install|
+                       vconsole|
+                       backlight|
+                       rfkill|
+                       random-seed|
+                       modules-load|
+                       timesync|
+                       cryptsetup|
+                       kmod|
+                       quota|
+                       pstore|
+                       sleep|suspend|hibernate|
+                       systemd-tmpfiles-setup-dev|
+                       network/99-default.link|
+                       growfs|makefs|makeswap|mkswap|
+                       fsck|
+                       repart|
+                       gpt-auto|
+                       volatile-root|
+                       verity-setup|
+                       remount-fs|
+                       /boot$|
+                       /boot/efi|
+                       /kernel/|
+                       /kernel$|
+                       /modprobe.d
+    ''', n, re.X):
+        o = o_udev
+    else:
+        o = o_rest
+
+    if n in known_files:
+        prefix = ' '.join(known_files[n].split()[:-1])
+        if prefix:
+            prefix += ' '
+    elif file.is_dir() and not file.is_symlink():
+        prefix = '%dir '
+    elif n.startswith('/etc'):
+        prefix = '%config(noreplace) '
+    else:
+        prefix = ''
+
+    suffix = '*' if '/man/' in n else ''
+
+    print(f'{prefix}{n}{suffix}', file=o)
diff --git a/SOURCES/systemd-journal-gatewayd.xml b/SOURCES/systemd-journal-gatewayd.xml
new file mode 100644
index 0000000..a1b400c
--- /dev/null
+++ b/SOURCES/systemd-journal-gatewayd.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>systemd-journal-gatewayd</short>
+  <description>Journal Gateway Service</description>
+  <port protocol="tcp" port="19531"/>
+</service>
diff --git a/SOURCES/systemd-journal-remote.xml b/SOURCES/systemd-journal-remote.xml
new file mode 100644
index 0000000..e115a12
--- /dev/null
+++ b/SOURCES/systemd-journal-remote.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>systemd-journal-remote</short>
+  <description>Journal Remote Sink</description>
+  <port protocol="tcp" port="19532"/>
+</service>
diff --git a/SOURCES/systemd-udev-trigger-no-reload.conf b/SOURCES/systemd-udev-trigger-no-reload.conf
new file mode 100644
index 0000000..c879427
--- /dev/null
+++ b/SOURCES/systemd-udev-trigger-no-reload.conf
@@ -0,0 +1,3 @@
+[Unit]
+# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17
+RefuseManualStop=true
diff --git a/SOURCES/systemd-user b/SOURCES/systemd-user
new file mode 100644
index 0000000..2725df9
--- /dev/null
+++ b/SOURCES/systemd-user
@@ -0,0 +1,10 @@
+# This file is part of systemd.
+#
+# Used by systemd --user instances.
+
+account  include system-auth
+
+session  required pam_selinux.so close
+session  required pam_selinux.so nottys open
+session  required pam_loginuid.so
+session  include system-auth
diff --git a/SOURCES/sysusers.attr b/SOURCES/sysusers.attr
new file mode 100644
index 0000000..367c137
--- /dev/null
+++ b/SOURCES/sysusers.attr
@@ -0,0 +1,2 @@
+%__sysusers_provides	%{_rpmconfigdir}/sysusers.prov
+%__sysusers_path	^%{_sysusersdir}/.*\\.conf$
diff --git a/SOURCES/sysusers.generate-pre.sh b/SOURCES/sysusers.generate-pre.sh
new file mode 100755
index 0000000..6c481c3
--- /dev/null
+++ b/SOURCES/sysusers.generate-pre.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# This script turns sysuser.d files into scriptlets mandated by Fedora
+# packaging guidelines. The general idea is to define users using the
+# declarative syntax but to turn this into traditional scriptlets.
+
+user() {
+    user="$1"
+    uid="$2"
+    desc="$3"
+    group="$4"
+    home="$5"
+    shell="$6"
+
+[ "$desc" = '-' ] && desc=
+[ "$home" = '-' -o "$home" = '' ] && home=/
+[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin
+
+if [ "$uid" = '-' -o "$uid" = '' ]; then
+    cat <<EOF
+getent passwd '$user' >/dev/null || \\
+    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
+EOF
+else
+    cat <<EOF
+if ! getent passwd '$user' >/dev/null ; then
+    if ! getent passwd '$uid' >/dev/null ; then
+        useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    else
+        useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    fi
+fi
+
+EOF
+fi
+}
+
+group() {
+    group="$1"
+    gid="$2"
+if [ "$gid" = '-' ]; then
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -r '$group'
+EOF
+else
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
+EOF
+fi
+}
+
+parse() {
+    while read line || [ "$line" ]; do
+        [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        eval arr=( $line )
+        case "${arr[0]}" in
+            ('u')
+                group "${arr[1]}" "${arr[2]}"
+                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+                # TODO: user:group support
+                ;;
+            ('g')
+                group "${arr[1]}" "${arr[2]}"
+                ;;
+            ('m')
+                group "${arr[2]}" "-"
+                user "${arr[1]}" "-" "" "${arr[2]}"
+                ;;
+        esac
+    done
+}
+
+for fn in "$@"; do
+    [ -e "$fn" ] || continue
+    echo "# generated from $(basename $fn)"
+    parse < "$fn"
+done
diff --git a/SOURCES/sysusers.prov b/SOURCES/sysusers.prov
new file mode 100755
index 0000000..a6eda5d
--- /dev/null
+++ b/SOURCES/sysusers.prov
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+parse() {
+    while read line; do
+        [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        set -- $line
+        case "$1" in
+            ('u')
+                echo "user($2)"
+                echo "group($2)"
+                # TODO: user:group support
+                ;;
+            ('g')
+                echo "group($2)"
+                ;;
+            ('m')
+                echo "user($2)"
+                echo "group($3)"
+                ;;
+        esac
+    done
+}
+
+while read fn; do
+    parse < "$fn"
+done
diff --git a/SOURCES/triggers.systemd b/SOURCES/triggers.systemd
new file mode 100644
index 0000000..7a7e792
--- /dev/null
+++ b/SOURCES/triggers.systemd
@@ -0,0 +1,111 @@
+#  -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  Copyright 2015 Zbigniew Jędrzejewski-Szmek
+#  Copyright 2018 Neal Gompa
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+#  systemd is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+
+# The contents of this are an example to be copied into systemd.spec.
+#
+# Minimum rpm version supported: 4.13.0
+
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
+# This script will run after any package is initially installed or
+# upgraded. We care about the case where a package is initially
+# installed, because other cases are covered by the *un scriptlets,
+# so sometimes we will reload needlessly.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemctl daemon-reload
+fi
+
+%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system
+# On removal, we need to run daemon-reload after any units have been
+# removed. %transfiletriggerpostun would be ideal, but it does not get
+# executed for some reason.
+# On upgrade, we need to run daemon-reload after any new unit files
+# have been installed, but before %postun scripts in packages get
+# executed. %transfiletriggerun gets the right list of files
+# but it is invoked too early (before changes happen).
+# %filetriggerpostun happens at the right time, but it fires for
+# every package.
+# To execute the reload at the right time, we create a state
+# file in %transfiletriggerun and execute the daemon-reload in
+# the first %filetriggerpostun.
+
+if test -d "/run/systemd/system"; then
+    mkdir -p "%{_localstatedir}/lib/rpm-state/systemd"
+    touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"
+fi
+
+%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then
+    rm -rf "%{_localstatedir}/lib/rpm-state/systemd"
+    %{_bindir}/systemctl daemon-reload
+fi
+
+%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d
+# This script will process files installed in /usr/lib/sysusers.d to create
+# specified users automatically. The priority is set such that it
+# will run before the tmpfiles file trigger.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-sysusers || :
+fi
+
+%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
+# This script will process files installed in /usr/lib/tmpfiles.d to create
+# tmpfiles automatically. The priority is set such that it will run
+# after the sysusers file trigger, but before any other triggers.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-tmpfiles --create || :
+fi
+
+%transfiletriggerin udev -- /usr/lib/udev/hwdb.d
+# This script will automatically invoke hwdb update if files have been
+# installed or updated in /usr/lib/udev/hwdb.d.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-hwdb update || :
+fi
+
+%transfiletriggerin -- /usr/lib/systemd/catalog
+# This script will automatically invoke journal catalog update if files
+# have been installed or updated in /usr/lib/systemd/catalog.
+if test -d /run/systemd/system; then
+  %{_bindir}/journalctl --update-catalog || :
+fi
+
+%transfiletriggerin udev -- /usr/lib/udev/rules.d
+# This script will automatically update udev with new rules if files
+# have been installed or updated in /usr/lib/udev/rules.d.
+if test -e /run/udev/control; then
+  %{_bindir}/udevadm control --reload || :
+fi
+
+%transfiletriggerin -- /usr/lib/sysctl.d
+# This script will automatically apply sysctl rules if files have been
+# installed or updated in /usr/lib/sysctl.d.
+if test -d /run/systemd/system; then
+  /usr/lib/systemd/systemd-sysctl || :
+fi
+
+%transfiletriggerin -- /usr/lib/binfmt.d
+# This script will automatically apply binfmt rules if files have been
+# installed or updated in /usr/lib/binfmt.d.
+if test -d /run/systemd/system; then
+  # systemd-binfmt might fail if binfmt_misc kernel module is not loaded
+  # during install
+  /usr/lib/systemd/systemd-binfmt || :
+fi
diff --git a/SOURCES/yum-protect-systemd.conf b/SOURCES/yum-protect-systemd.conf
new file mode 100644
index 0000000..39426d7
--- /dev/null
+++ b/SOURCES/yum-protect-systemd.conf
@@ -0,0 +1,2 @@
+systemd
+systemd-udev
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
new file mode 100644
index 0000000..cc0805b
--- /dev/null
+++ b/SPECS/systemd.spec
@@ -0,0 +1,3138 @@
+# Meson settings
+%global _vpath_srcdir .
+%global _vpath_builddir %{_target_platform}
+%global __global_cflags  %{optflags}
+%global __global_cxxflags  %{optflags}
+%global __global_fflags  %{optflags} -I%_fmoddir
+%global __global_fcflags %{optflags} -I%_fmoddir
+%global __global_ldflags -Wl,-z,relro %{_hardened_ldflags}
+
+%define _python_bytecompile_errors_terminate_build 0
+
+#global commit 7f56c26d1041e686efa72b339250a98fb6ee8f00
+%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
+
+%global stable 1
+
+# We ship a .pc file but don't want to have a dep on pkg-config. We
+# strip the automatically generated dep here and instead co-own the
+# directory.
+%global __requires_exclude pkg-config
+
+%global pkgdir %{_prefix}/lib/systemd
+%global system_unit_dir %{pkgdir}/system
+%global user_unit_dir %{pkgdir}/user
+
+%if 0%{?facebook}
+%if 0%{?el7}
+### The version of meson and redhat-rpm-config is not in sync in C7.
+### Copied from the 'redhat-rpm-config-123-1' version of /usr/lib/rpm/redhat/macros
+### to support the building of systemd via meson that uses the
+### set_build_flags macro.
+%global _ld_symbols_flags              %{?_strict_symbol_defs_build:-Wl,-z,defs}
+
+#==============================================================================
+# ---- compiler flags.
+
+# C compiler flags.  This is traditionally called CFLAGS in makefiles.
+# Historically also available as %%{optflags}, and %%build sets the
+# environment variable RPM_OPT_FLAGS to this value.
+%global build_cflags %{optflags}
+
+# C++ compiler flags.  This is traditionally called CXXFLAGS in makefiles.
+%global build_cxxflags %{optflags}
+
+# Fortran compiler flags.  Makefiles use both FFLAGS and FCFLAGS as
+# the corresponding variable names.
+%global build_fflags %{optflags} -I%{_fmoddir}
+
+# Link editor flags.  This is usually called LDFLAGS in makefiles.
+# (Some makefiles use LFLAGS instead.)  The default value assumes that
+# the flags, while intended for ld, are still passed through the gcc
+# compiler driver.  At the beginning of %%build, the environment
+# variable RPM_LD_FLAGS to this value.
+%global build_ldflags -Wl,-z,relro %{_ld_symbols_flags} %{_hardened_ldflags}
+
+# Expands to shell code to seot the compiler/linker environment
+# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
+# not been set already.  RPM_OPT_FLAGS and RPM_LD_FLAGS have already
+# been set implicitly at the start of the %%build section.
+%global set_build_flags \
+  CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \
+  CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \
+  FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \
+  FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \
+  LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS;
+
+### Copied from the rpm-4.14.2-36 version of /usr/lib/rpm/platform/x86_64-linux/macros
+### to support the building of systemd via meson that uses the
+### _smp_build_ncpus macro
+%global _smp_build_ncpus %([ -z "$RPM_BUILD_NCPUS" ] \\\
+	&& RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\
+        ncpus_max=%{?_smp_ncpus_max}; \\\
+        if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \\\
+        echo "$RPM_BUILD_NCPUS";)
+
+%global _smp_mflags -j%{_smp_build_ncpus}
+%endif
+%endif
+
+# Bootstrap may be needed to break intercircular dependencies with
+# cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump.
+%bcond_with    bootstrap
+%bcond_without tests
+
+Name:           systemd
+Url:            https://www.freedesktop.org/wiki/Software/systemd
+Version:        246.1
+Release:        1.fb6
+# For a breakdown of the licensing, see README
+License:        LGPLv2+ and MIT and GPLv2+
+Summary:        System and Service Manager
+
+%global github_version %(c=%{version}; echo ${c}|tr '~' '-')
+
+# download tarballs with "spectool -g systemd.spec"
+%if %{defined commit}
+Source0:        https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
+%else
+%if 0%{?stable}
+Source0:        https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
+%else
+Source0:        https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
+%endif
+%endif
+# This file must be available before %%prep.
+# It is generated during systemd build and can be found in build/src/core/.
+Source1:        triggers.systemd
+Source2:        split-files.py
+Source3:        purge-nobody-user
+
+# Prevent accidental removal of the systemd package
+Source4:        yum-protect-systemd.conf
+
+Source9:        20-yama-ptrace.conf
+Source10:       systemd-udev-trigger-no-reload.conf
+Source11:       20-grubby.install
+Source12:       systemd-user
+
+Source21:       macros.sysusers
+Source22:       sysusers.attr
+Source23:       sysusers.prov
+Source24:       sysusers.generate-pre.sh
+
+%if 0
+GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
+i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|xclip
+GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch
+%endif
+
+Patch0002:      0001-Revert-test-path-increase-timeout.patch
+Patch0003:      0002-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch
+
+Patch0004:      0001-test-acl-util-output-more-debug-info.patch
+Patch0005:      0001-Do-not-assert-in-test_add_acls_for_user.patch
+
+Patch1001:      FB--Add-FusionIO-device--dev-fio-persistante-storage-udev-rule.patch
+
+Patch1002:      16838_16857_improve_path_search.patch
+Patch1003:      16940_cleanup_socket_econn_handling.patch
+Patch1004:      17031_propagate_start_limit_hit.patch
+Patch1005:      17082_nspawn_tty_tweaks.patch
+
+Patch1006:      0001-bpf-pid1-Pin-reference-to-BPF-programs-for-post-cold.patch
+Patch1007:      0002-core-clean-up-inactive-failed-service-scope-s-cgroup.patch
+Patch1008:      0003-timer-add-new-feature-FixedRandomDelay.patch
+
+Patch1009:      16803_fix_asserts_conditions.patch
+
+%ifarch %{ix86} x86_64 aarch64
+%global have_gnu_efi 1
+%endif
+
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  coreutils
+BuildRequires:  libcap-devel
+BuildRequires:  libmount-devel
+BuildRequires:  libfdisk-devel
+BuildRequires:  libpwquality-devel
+BuildRequires:  pam-devel
+BuildRequires:  libselinux-devel
+BuildRequires:  audit-libs-devel
+%if %{without bootstrap}
+BuildRequires:  cryptsetup-devel
+%endif
+BuildRequires:  dbus-devel
+# /usr/bin/getfacl is needed by test-acl-util
+BuildRequires:  acl
+BuildRequires:  libacl-devel
+BuildRequires:  gobject-introspection-devel
+BuildRequires:  libblkid-devel
+BuildRequires:  xz-devel
+BuildRequires:  xz
+BuildRequires:  lz4-devel
+BuildRequires:  lz4
+BuildRequires:  bzip2-devel
+BuildRequires:  libzstd-devel
+BuildRequires:  libidn2-devel
+BuildRequires:  libcurl-devel
+BuildRequires:  kmod-devel
+BuildRequires:  elfutils-devel
+BuildRequires:  openssl-devel
+BuildRequires:  libgcrypt-devel
+BuildRequires:  libgpg-error-devel
+BuildRequires:  gnutls-devel
+BuildRequires:  qrencode-devel
+BuildRequires:  libmicrohttpd-devel
+BuildRequires:  libxkbcommon-devel
+BuildRequires:  iptables-devel
+BuildRequires:  libxslt
+BuildRequires:  docbook-style-xsl
+BuildRequires:  pkgconfig
+BuildRequires:  gperf
+BuildRequires:  gawk
+BuildRequires:  tree
+BuildRequires:  hostname
+%if 0%{?el7}
+BuildRequires:  python34-devel
+BuildRequires:  python34-lxml
+%else
+BuildRequires:  python3-devel
+BuildRequires:  python3-lxml
+%endif
+BuildRequires:  python3
+%global __python3 /usr/bin/python3
+%if 0%{?have_gnu_efi}
+BuildRequires:  gnu-efi gnu-efi-devel
+%endif
+BuildRequires:  libseccomp-devel
+BuildRequires:  meson >= 0.43
+BuildRequires:  gettext
+# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available
+BuildRequires:  valgrind-devel
+BuildRequires:  pkgconfig(bash-completion)
+
+Requires(post): coreutils
+Requires(post): sed
+Requires(post): acl
+Requires(post): grep
+# systemd-machine-id-setup requires libssl
+Requires(post): openssl-libs
+Requires(pre):  coreutils
+Requires(pre):  /usr/bin/getent
+Requires(pre):  /usr/sbin/groupadd
+Requires:       dbus >= 1.9.18
+Requires:       %{name}-pam = %{version}-%{release}
+Requires:       %{name}-rpm-macros = %{version}-%{release}
+Requires:       %{name}-libs = %{version}-%{release}
+Recommends:     diffutils
+Requires:       util-linux
+Recommends:     libxkbcommon%{?_isa}
+Provides:       /bin/systemctl
+Provides:       /sbin/shutdown
+Provides:       syslog
+Provides:       systemd-units = %{version}-%{release}
+Obsoletes:      system-setup-keyboard < 0.9
+Provides:       system-setup-keyboard = 0.9
+# systemd-sysv-convert was removed in f20: https://fedorahosted.org/fpc/ticket/308
+Obsoletes:      systemd-sysv < 206
+# self-obsoletes so that dnf will install new subpackages on upgrade (#1260394)
+Obsoletes:      %{name} < 229-5
+Provides:       systemd-sysv = 206
+%if 0%{?fedora}
+Conflicts:      fedora-release < 23-0.12
+%endif
+Obsoletes:      timedatex < 0.6-3
+Provides:       timedatex = 0.6-3
+
+%description
+systemd is a system and service manager that runs as PID 1 and starts
+the rest of the system. It provides aggressive parallelization
+capabilities, uses socket and D-Bus activation for starting services,
+offers on-demand starting of daemons, keeps track of processes using
+Linux control groups, maintains mount and automount points, and
+implements an elaborate transactional dependency-based service control
+logic. systemd supports SysV and LSB init scripts and works as a
+replacement for sysvinit. Other parts of this package are a logging daemon,
+utilities to control basic system configuration like the hostname,
+date, locale, maintain a list of logged-in users, system accounts,
+runtime directories and settings, and daemons to manage simple network
+configuration, network time synchronization, log forwarding, and name
+resolution.
+%if 0%{?stable}
+This package was built from the %{version}-stable branch of systemd.
+%endif
+
+%package libs
+Summary:        systemd libraries
+License:        LGPLv2+ and MIT
+Obsoletes:      libudev < 183
+Obsoletes:      systemd < 185-4
+Conflicts:      systemd < 185-4
+Obsoletes:      systemd-compat-libs < 230
+Obsoletes:      nss-myhostname < 0.4
+Provides:       nss-myhostname = 0.4
+Provides:       nss-myhostname%{_isa} = 0.4
+Requires(post): coreutils
+Requires(post): sed
+Requires(post): grep
+Requires(post): /usr/bin/getent
+
+%description libs
+Libraries for systemd and udev.
+
+%package pam
+Summary:        systemd PAM module
+Requires:       %{name} = %{version}-%{release}
+
+%description pam
+Systemd PAM module registers the session with systemd-logind.
+
+%package rpm-macros
+Summary:        Macros that define paths and scriptlets related to systemd
+BuildArch:      noarch
+
+%description rpm-macros
+Just the definitions of rpm macros.
+
+See
+https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+for information how to use those macros.
+
+%package devel
+Summary:        Development headers for systemd
+License:        LGPLv2+ and MIT
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Provides:       libudev-devel = %{version}
+Provides:       libudev-devel%{_isa} = %{version}
+Obsoletes:      libudev-devel < 183
+# Fake dependency to make sure systemd-pam is pulled into multilib (#1414153)
+Requires:       %{name}-pam = %{version}-%{release}
+
+%description devel
+Development headers and auxiliary files for developing applications linking
+to libudev or libsystemd.
+
+%package udev
+Summary: Rule-based device node and kernel event manager
+License:        LGPLv2+
+
+Requires:       systemd%{?_isa} = %{version}-%{release}
+Requires(post):   systemd
+Requires(preun):  systemd
+Requires(postun): systemd
+Requires(post): grep
+Requires:       kmod >= 18-4
+%if 0%{?facebook}
+# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394)
+Obsoletes:      %{name} < 229-5
+%else
+# https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1
+Obsoletes:      systemd < 245.6-1
+%endif
+Provides:       udev = %{version}
+Provides:       udev%{_isa} = %{version}
+Obsoletes:      udev < 183
+# https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9
+Suggests:       systemd-bootchart
+# https://bugzilla.redhat.com/show_bug.cgi?id=1408878
+Requires:       kbd
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1753381
+Provides:       u2f-hidraw-policy = 1.0.2-40
+Obsoletes:      u2f-hidraw-policy < 1.0.2-40
+
+%description udev
+This package contains systemd-udev and the rules and hardware database
+needed to manage device nodes. This package is necessary on physical
+machines and in virtual machines, but not in containers.
+
+%package container
+# Name is the same as in Debian
+Summary: Tools for containers and VMs
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires(post):   systemd
+Requires(preun):  systemd
+Requires(postun): systemd
+# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394)
+Obsoletes:      %{name} < 229-5
+License:        LGPLv2+
+
+%description container
+Systemd tools to spawn and manage containers and virtual machines.
+
+This package contains systemd-nspawn, machinectl, systemd-machined,
+and systemd-importd.
+
+%package journal-remote
+# Name is the same as in Debian
+Summary:        Tools to send journal events over the network
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+License:        LGPLv2+
+Requires(pre):    /usr/bin/getent
+Requires(post):   systemd
+Requires(preun):  systemd
+Requires(postun): systemd
+Provides:       %{name}-journal-gateway = %{version}-%{release}
+Provides:       %{name}-journal-gateway%{_isa} = %{version}-%{release}
+Obsoletes:      %{name}-journal-gateway < 227-7
+
+%description journal-remote
+Programs to forward journal entries over the network, using encrypted HTTP,
+and to write journal files from serialized journal contents.
+
+This package contains systemd-journal-gatewayd,
+systemd-journal-remote, and systemd-journal-upload.
+
+%package tests
+Summary:       Internal unit tests for systemd
+Requires:      %{name}%{?_isa} = %{version}-%{release}
+License:       LGPLv2+
+
+%description tests
+"Installed tests" that are usually run as part of the build system.
+They can be useful to test systemd internals.
+
+%prep
+%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{github_version}} -p1
+
+%build
+%define ntpvendor %(source /etc/os-release; echo ${ID})
+%{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1}
+
+CONFIGURE_OPTS=(
+        -Dsysvinit-path=/etc/rc.d/init.d
+        -Drc-local=/etc/rc.d/rc.local
+        -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org'
+        -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
+        -Dservice-watchdog=
+        -Ddev-kvm-mode=0666
+        -Dkmod=true
+        -Dxkbcommon=true
+        -Dblkid=true
+        -Dfdisk=true
+        -Dseccomp=true
+        -Dima=true
+        -Dselinux=true
+        -Dapparmor=false
+        -Dpolkit=true
+        -Dxz=true
+        -Dzlib=true
+        -Dbzip2=true
+        -Dlz4=true
+        -Dzstd=true
+        -Dpam=true
+        -Dacl=true
+        -Dsmack=true
+        -Dgcrypt=true
+        -Daudit=true
+        -Delfutils=true
+%if %{without bootstrap}
+        -Dlibcryptsetup=true
+%else
+        -Dlibcryptsetup=false
+%endif
+        -Delfutils=true
+        -Dpwquality=true
+        -Dqrencode=true
+        -Dgnutls=true
+        -Dmicrohttpd=true
+        -Dlibidn2=true
+        -Dlibiptc=true
+        -Dlibcurl=true
+        -Defi=true
+        -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false}
+        -Dtpm=true
+        -Dhwdb=true
+        -Dsysusers=true
+        -Ddefault-kill-user-processes=false
+        -Dtests=unsafe
+        -Dinstall-tests=true
+        -Dtty-gid=5
+        -Dusers-gid=100
+        -Dnobody-user=nobody
+        -Dnobody-group=nobody
+        -Dsplit-usr=false
+        -Dsplit-bin=true
+        -Db_lto=true
+        -Db_ndebug=false
+        -Dman=true
+        -Dversion-tag=v%{version}-%{release}
+        -Ddocdir=%{_pkgdocdir}
+)
+
+%if 0%{?facebook}
+%if 0%{?el7}
+%global _hierarchy legacy
+%else
+%global _hierarchy unified
+%endif
+CONFIGURE_OPTS+=(
+        -Dntp-servers='1.ntp.vip.facebook.com 2.ntp.vip.facebook.com 3.ntp.vip.facebook.com 4.ntp.vip.facebook.com'
+        -Ddns-servers='10.127.255.51 10.191.255.51 2401:db00:eef0:a53:: 2401:db00:eef0:b53::'
+        -Dsupport-url='https://www.facebook.com/groups/prodos.users/'
+        -Ddefault-hierarchy=%{_hierarchy}
+        -Dcontainer-uid-base-min=10485760
+        -Dp11kit=false
+        -Duserdb=false
+        -Dhomed=false
+        -Drepart=false
+)
+%endif
+
+export LANG=en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+%meson "${CONFIGURE_OPTS[@]}"
+%meson_build
+
+%install
+export LANG=en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+%meson_install
+
+# udev links
+mkdir -p %{buildroot}/%{_sbindir}
+ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm
+
+# Compatiblity and documentation files
+touch %{buildroot}/etc/crypttab
+chmod 600 %{buildroot}/etc/crypttab
+
+# /etc/sysctl.conf compat
+ln -s ../sysctl.conf %{buildroot}/etc/sysctl.d/99-sysctl.conf
+
+# Make sure these directories are properly owned
+mkdir -p %{buildroot}%{system_unit_dir}/basic.target.wants
+mkdir -p %{buildroot}%{system_unit_dir}/default.target.wants
+mkdir -p %{buildroot}%{system_unit_dir}/dbus.target.wants
+mkdir -p %{buildroot}%{system_unit_dir}/syslog.target.wants
+mkdir -p %{buildroot}/run
+mkdir -p %{buildroot}%{_localstatedir}/log
+touch %{buildroot}/run/utmp
+touch %{buildroot}%{_localstatedir}/log/{w,b}tmp
+
+# Make sure the user generators dir exists too
+mkdir -p %{buildroot}%{pkgdir}/system-generators
+mkdir -p %{buildroot}%{pkgdir}/user-generators
+
+# Create new-style configuration files so that we can ghost-own them
+touch %{buildroot}%{_sysconfdir}/hostname
+touch %{buildroot}%{_sysconfdir}/vconsole.conf
+touch %{buildroot}%{_sysconfdir}/locale.conf
+touch %{buildroot}%{_sysconfdir}/machine-id
+touch %{buildroot}%{_sysconfdir}/machine-info
+touch %{buildroot}%{_sysconfdir}/localtime
+mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d
+touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf
+
+# Make sure the shutdown/sleep drop-in dirs exist
+mkdir -p %{buildroot}%{pkgdir}/system-shutdown/
+mkdir -p %{buildroot}%{pkgdir}/system-sleep/
+
+# Make sure directories in /var exist
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger
+mkdir -p %{buildroot}%{_localstatedir}/lib/private
+mkdir -p %{buildroot}%{_localstatedir}/log/private
+mkdir -p %{buildroot}%{_localstatedir}/cache/private
+mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/timesync
+ln -s ../private/systemd/journal-upload %{buildroot}%{_localstatedir}/lib/systemd/journal-upload
+mkdir -p %{buildroot}%{_localstatedir}/log/journal
+touch %{buildroot}%{_localstatedir}/lib/systemd/catalog/database
+touch %{buildroot}%{_sysconfdir}/udev/hwdb.bin
+touch %{buildroot}%{_localstatedir}/lib/systemd/random-seed
+touch %{buildroot}%{_localstatedir}/lib/systemd/timesync/clock
+touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state
+
+# Install yum protection fragment
+install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf
+
+# Restore systemd-user pam config from before "removal of Fedora-specific bits"
+install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12}
+
+# Install additional docs
+# https://bugzilla.redhat.com/show_bug.cgi?id=1234951
+install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9}
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1378974
+mkdir -p %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10}
+
+# A temporary work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1663040
+mkdir -p %{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/
+cat >%{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/disable-privatedevices.conf <<EOF
+[Service]
+PrivateDevices=no
+EOF
+
+install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
+
+install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
+
+sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py
+
+install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/macros.d/ %{SOURCE21}
+mkdir -p %{buildroot}%{_rpmconfigdir}/fileattrs/
+install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/fileattrs/ %{SOURCE22}
+install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE23}
+install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24}
+
+%find_lang %{name}
+
+# Split files in build root into rpms. See split-files.py for the
+# rules towards the end, anything which is an exception needs a line
+# here.
+%{__python3} %{SOURCE2} %buildroot <<EOF
+%ghost %config(noreplace) /etc/crypttab
+%ghost /etc/udev/hwdb.bin
+/etc/inittab
+/usr/lib/systemd/purge-nobody-user
+%ghost %config(noreplace) /etc/vconsole.conf
+%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
+%ghost %attr(0664,root,utmp) /run/utmp
+%ghost %attr(0664,root,utmp) /var/log/wtmp
+%ghost %attr(0600,root,utmp) /var/log/btmp
+%ghost %config(noreplace) /etc/hostname
+%ghost %config(noreplace) /etc/localtime
+%ghost %config(noreplace) /etc/locale.conf
+%ghost %config(noreplace) /etc/machine-id
+%ghost %config(noreplace) /etc/machine-info
+%ghost %attr(0700,root,root) %dir /var/cache/private
+%ghost %attr(0700,root,root) %dir /var/lib/private
+%ghost %dir /var/lib/private/systemd
+%ghost %dir /var/lib/private/systemd/journal-upload
+%ghost /var/lib/private/systemd/journal-upload/state
+%ghost %dir /var/lib/systemd/timesync
+%ghost /var/lib/systemd/timesync/clock
+%ghost %dir /var/lib/systemd/backlight
+%ghost /var/lib/systemd/catalog/database
+%ghost %dir /var/lib/systemd/coredump
+%ghost /var/lib/systemd/journal-upload
+%ghost %dir /var/lib/systemd/linger
+%ghost /var/lib/systemd/random-seed
+%ghost %dir /var/lib/systemd/rfkill
+%ghost %dir /var/log/journal
+%ghost %dir /var/log/journal/remote
+%ghost %attr(0700,root,root) %dir /var/log/private
+EOF
+
+%check
+%if %{with tests}
+export LANG=en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+meson test -C %{_vpath_builddir} -t 6 --print-errorlogs
+%endif
+
+#############################################################################################
+
+%include %{SOURCE1}
+
+%pre
+getent group cdrom &>/dev/null || groupadd -r -g 11 cdrom &>/dev/null || :
+getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || :
+getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || :
+getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || :
+getent group input &>/dev/null || groupadd -r input &>/dev/null || :
+getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || :
+getent group render &>/dev/null || groupadd -r render &>/dev/null || :
+getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || :
+
+getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || :
+getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || :
+
+getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2>&1 || :
+getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || :
+
+getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || :
+getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || :
+
+%post
+systemd-machine-id-setup &>/dev/null || :
+
+systemctl daemon-reexec &>/dev/null || {
+  # systemd v239 had bug #9553 in D-Bus authentication of the private socket,
+  # which was later fixed in v240 by #9625.
+  #
+  # The end result is that a `systemctl daemon-reexec` call as root will fail
+  # when upgrading from systemd v239, which means the system will not start
+  # running the new version of systemd after this post install script runs.
+  #
+  # To work around this issue, let's fall back to using a `kill -TERM 1` to
+  # re-execute the daemon when the `systemctl daemon-reexec` call fails.
+  #
+  # In order to prevent issues when the reason why the daemon-reexec failed is
+  # not the aforementioned bug, let's only use this fallback when:
+  #   - we're upgrading this RPM package; and
+  #   - we confirm that systemd is running as PID1 on this system.
+  if [ $1 -gt 1 ] && [ -d /run/systemd/system ] ; then
+    kill -TERM 1 &>/dev/null || :
+  fi
+}
+
+journalctl --update-catalog &>/dev/null || :
+systemd-tmpfiles --create &>/dev/null || :
+
+# create /var/log/journal only on initial installation,
+# and only if it's writable (it won't be in rpm-ostree).
+if [ $1 -eq 1 ] && [ -w %{_localstatedir} ]; then
+    mkdir -p %{_localstatedir}/log/journal
+fi
+
+# Make sure new journal files will be owned by the "systemd-journal" group
+machine_id=$(cat /etc/machine-id 2>/dev/null)
+chgrp systemd-journal /{run,var}/log/journal/{,${machine_id}} &>/dev/null || :
+chmod g+s /{run,var}/log/journal/{,${machine_id}} &>/dev/null || :
+
+# Apply ACL to the journal directory
+setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :
+
+# We reset the enablement of all services upon initial installation
+# https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23
+# This will fix up enablement of any preset services that got installed
+# before systemd due to rpm ordering problems:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1647172.
+# We also do this for user units, see
+# https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units.
+if [ $1 -eq 1 ] ; then
+        systemctl preset-all &>/dev/null || :
+        systemctl --global preset-all &>/dev/null || :
+fi
+
+%preun
+if [ $1 -eq 0 ] ; then
+        systemctl disable --quiet \
+                remote-fs.target \
+                getty@.service \
+                serial-getty@.service \
+                console-getty.service \
+                debug-shell.service \
+                systemd-networkd.service \
+                systemd-networkd-wait-online.service \
+                systemd-resolved.service \
+                systemd-homed.service \
+                >/dev/null || :
+fi
+
+%triggerun -- systemd < 246.1-1
+# This is for upgrades from previous versions before systemd-resolved became the default.
+systemctl --no-reload preset systemd-resolved.service &>/dev/null || :
+
+if systemctl is-enabled systemd-resolved.service &>/dev/null; then
+  grep -q 'Generated by NetworkManager' /etc/resolv.conf 2>/dev/null && \
+  echo -e '/etc/resolv.conf was generated by NetworkManager.\nRemoving it to let systemd-resolved manage this file.' && \
+  mv -v /etc/resolv.conf /etc/resolv.conf.orig-with-nm || :
+
+  systemctl start systemd-resolved.service &>/dev/null || :
+fi
+
+%post libs
+%{?ldconfig}
+
+function mod_nss() {
+    if [ -f "$1" ] ; then
+        # Add nss-systemd to passwd and group
+        grep -E -q '^(passwd|group):.* systemd' "$1" ||
+        sed -i.bak -r -e '
+                s/^(passwd|group):(.*)/\1:\2 systemd/
+                ' "$1" &>/dev/null || :
+
+        # Add nss-resolve to hosts
+        grep -E -q '^hosts:.* resolve' "$1" ||
+        sed -i.bak -r -e '
+                s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 resolve [!UNAVAIL=return] myhostname files\3 dns/
+                ' "$1" &>/dev/null || :
+    fi
+}
+
+FILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
+if [ "$FILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
+        mod_nss "/etc/authselect/user-nsswitch.conf"
+        authselect apply-changes &> /dev/null || :
+else
+        mod_nss "$FILE"
+        # also apply the same changes to user-nsswitch.conf to affect
+        # possible future authselect configuration
+        mod_nss "/etc/authselect/user-nsswitch.conf"
+fi
+
+# check if nobody or nfsnobody is defined
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+if getent passwd nfsnobody &>/dev/null; then
+   test -f /etc/systemd/dont-synthesize-nobody || {
+       echo 'Detected system with nfsnobody defined, creating /etc/systemd/dont-synthesize-nobody'
+       mkdir -p /etc/systemd || :
+       : >/etc/systemd/dont-synthesize-nobody || :
+   }
+elif getent passwd nobody 2>/dev/null | grep -v 'nobody:[x*]:65534:65534:.*:/:/sbin/nologin' &>/dev/null; then
+   test -f /etc/systemd/dont-synthesize-nobody || {
+       echo 'Detected system with incompatible nobody defined, creating /etc/systemd/dont-synthesize-nobody'
+       mkdir -p /etc/systemd || :
+       : >/etc/systemd/dont-synthesize-nobody || :
+   }
+fi
+
+%{?ldconfig:%postun libs -p %ldconfig}
+
+%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service
+
+%pre udev
+getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || :
+getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || :
+
+%post udev
+# Move old stuff around in /var/lib
+mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null
+mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null
+if [ -L %{_localstatedir}/lib/systemd/timesync ]; then
+    rm %{_localstatedir}/lib/systemd/timesync
+    mv %{_localstatedir}/lib/private/systemd/timesync %{_localstatedir}/lib/systemd/timesync
+fi
+if [ -f %{_localstatedir}/lib/systemd/clock ] ; then
+    mkdir -p %{_localstatedir}/lib/systemd/timesync
+    mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/.
+fi
+
+udevadm hwdb --update &>/dev/null
+%systemd_post %udev_services
+/usr/lib/systemd/systemd-random-seed save 2>&1
+
+# Replace obsolete keymaps
+# https://bugzilla.redhat.com/show_bug.cgi?id=1151958
+grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null &&
+    sed -i.rpm.bak -r 's/^KEYMAP="?fi-latin[19]"?/KEYMAP="fi"/' /etc/vconsole.conf || :
+
+%preun udev
+%systemd_preun %udev_services
+
+%postun udev
+# Only restart systemd-udev, to run the upgraded dameon.
+# Others are either oneshot services, or sockets, and restarting them causes issues (#1378974)
+%systemd_postun_with_restart systemd-udevd.service
+
+%pre journal-remote
+getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || :
+getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || :
+
+%post journal-remote
+%systemd_post systemd-journal-gatewayd.socket systemd-journal-gatewayd.service
+%systemd_post systemd-journal-remote.socket systemd-journal-remote.service
+%systemd_post systemd-journal-upload.service
+
+%preun journal-remote
+%systemd_preun systemd-journal-gatewayd.socket systemd-journal-gatewayd.service
+%systemd_preun systemd-journal-remote.socket systemd-journal-remote.service
+%systemd_preun systemd-journal-upload.service
+if [ $1 -eq 1 ] ; then
+    if [ -f %{_localstatedir}/lib/systemd/journal-upload/state -a ! -L %{_localstatedir}/lib/systemd/journal-upload ] ; then
+        mkdir -p %{_localstatedir}/lib/private/systemd/journal-upload
+        mv %{_localstatedir}/lib/systemd/journal-upload/state %{_localstatedir}/lib/private/systemd/journal-upload/.
+        rmdir %{_localstatedir}/lib/systemd/journal-upload || :
+    fi
+fi
+
+%postun journal-remote
+%systemd_postun_with_restart systemd-journal-gatewayd.service
+%systemd_postun_with_restart systemd-journal-remote.service
+%systemd_postun_with_restart systemd-journal-upload.service
+
+%global _docdir_fmt %{name}
+
+%files -f %{name}.lang -f .file-list-rest
+%doc %{_pkgdocdir}
+%exclude %{_pkgdocdir}/LICENSE.*
+%license LICENSE.GPL2 LICENSE.LGPL2.1
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/basic.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/bluetooth.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/default.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/getty.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/graphical.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/local-fs.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/machines.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/multi-user.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/network-online.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/printer.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/remote-fs.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/sockets.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants
+%ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants
+%ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd
+
+%files libs -f .file-list-libs
+%license LICENSE.LGPL2.1
+
+%files pam -f .file-list-pam
+
+%files rpm-macros -f .file-list-rpm-macros
+
+%files devel -f .file-list-devel
+
+%files udev -f .file-list-udev
+
+%files container -f .file-list-container
+
+%files journal-remote -f .file-list-remote
+
+%files tests -f .file-list-tests
+
+%changelog
+* Mon Jan 25 2021 Anita Zhang <anitazha@fb.com> - 246.1-1.fb6
+- Backport PR #16803 to fix ConditionEnvironment=
+
+* Thu Nov 19 2020 Chris Down <cdown@fb.com> - 246.1-1.fb5
+- Updated version of PR #17495 to fix program leak
+
+* Thu Nov 19 2020 Chris Down <cdown@fb.com> - 246.1-1.fb4
+- Backport PR #17495 to fix BPF program lifecycle
+- Backport PR #17422 to clean up cgroups more reliably after exit
+- Backport PR #17497 to add FixedRandomDelay= support
+
+* Fri Sep 18 2020 Anita Zhang <anitazha@fb.com> - 246.1-1.fb3
+- Backport PR #16838 and #16857 to improve $PATH handling
+- Backport PR #16940 to fix ECONN handling in sockets
+- Backport PR #17031 to fix rate limiting on units in restart loop
+- Backport PR #17082 to get nspawn TTY tweaks
+
+* Tue Aug 18 2020 Anita Zhang <anitazha@fb.com> - 246.1-1.fb2
+- Gate "Obsoletes: systemd < 245.6-1" out due to dependency issues on Facebook
+  systems
+
+* Mon Aug 17 2020 Anita Zhang <anitazha@fb.com> - 246.1-1.fb1
+- Facebook rebuild
+- Don't compile in systemd-repart (needs libfdisk >= 2.33 and C8 has 2.32)
+- Remove unused systemd-journal-remote.xml and systemd-journal-gatewayd.xml
+  files since we never used firewalld
+
+* Fri Aug  7 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246.1-1
+- A few minor bugfixes
+- Remove /etc/resolv.conf on upgrades (if managed by NetworkManager), so
+  that systemd-resolved can take over the management of the symlink.
+
+* Thu Jul 30 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246-1
+- Update to released version. Only some minor bugfixes since the pre-release.
+
+* Sun Jul 26 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246~rc2-2
+- Make /tmp be 50% of RAM again (#1856514)
+- Re-run 'systemctl preset systemd-resolved' on upgrades.
+  /etc/resolv.conf is not modified, by a hint is emitted if it is
+  managed by NetworkManager.
+
+* Fri Jul 24 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246~rc2-1
+- New pre-release with incremental fixes
+  (#1856037, #1858845, #1856122, #1857783)
+- Enable systemd-resolved (with DNSSEC disabled by default, and LLMNR
+  and mDNS support in resolve-only mode by default).
+  See https://fedoraproject.org/wiki/Changes/systemd-resolved.
+
+* Thu Jul  9 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 246~rc1-1
+- New upstream release, see
+  https://raw.githubusercontent.com/systemd/systemd/v246-rc1/NEWS.
+
+  This release includes many new unit settings, related inter alia to
+  cgroupsv2 freezer support and cpu affinity, encryption and verification.
+  systemd-networkd has a ton of new functionality and many other tools gained
+  smaller enhancements. systemd-homed gained FIDO2 support.
+
+  Documentation has been significantly improved: sd-bus and sd-hwdb
+  libraries are now fully documented; man pages have been added for
+  the D-BUS APIs of systemd daemons and various new interfaces.
+
+  Closes #1392925, #1790972, #1197886, #1525593.
+
+* Wed Jun 24 2020 Bastien Nocera <bnocera@redhat.com> - 245.6-3
+- Set fallback-hostname to fedora so that unset hostnames are still
+  recognisable (#1392925)
+
+* Fri Jun  5 2020 Anita Zhang <anitazha@fb.com> - 245.5-2.fb3
+- Backport 156a5fd to mitigate CVE-2020-13776
+
+* Thu Jun  4 2020 Anita Zhang <anitazha@fb.com> - 245.5-2.fb2
+- Revert c7d26ac which is causing SMI count to go up leading to increased
+  microstalls during Chef runs
+
+* Tue Jun  2 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.6-2
+- Add self-obsoletes to fix upgrades from F31
+
+* Sun May 31 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.6-1
+- Update to latest stable version (some documentation updates, minor
+  memory correctness issues) (#1815605, #1827467, #1842067)
+
+* Thu Apr 30 2020 Anita Zhang <anitazha@fb.com> - 245.5-2.fb1
+- Facebook rebuild
+- Don't compile in systemd-homed, systemd-userdb, and p11kit
+- Backport PR #15544 and #15551 (drops FB rlimit_memlock patch)
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 245.5-2
+- Add explicit BuildRequires: acl
+- Bootstrapping for json-c SONAME bump
+
+* Fri Apr 17 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.5-1
+- Update to latest stable version (#1819313, #1815412, #1800875)
+
+* Thu Apr 16 2020 Björn Esser <besser82@fedoraproject.org> - 245.4-2
+- Add bootstrap option to break circular deps on cryptsetup
+
+* Wed Apr  1 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.4-1
+- Update to latest stable version (#1814454)
+
+* Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.3-1
+- Update to latest stable version (no issue that got reported in bugzilla)
+
+* Wed Mar 18 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245.2-1
+- Update to latest stable version (a few bug fixes for random things) (#1798776)
+
+* Wed Mar 18 2020 Andrew Gallagher <agallagher@fb.com> - 244-2.fb4
+- Bump HIGH_RLIMIT_MEMLOCK to 512M
+
+* Fri Mar  6 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245-1
+- Update to latest version (#1807485)
+
+* Wed Feb 26 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245~rc2-1
+- Modify the downstream udev rule to use bfq to only apply to disks (#1803500)
+- "Upgrade" dependency on kbd package from Recommends to Requires (#1408878)
+- Move systemd-bless-boot.service and systemd-boot-system-token.service to
+  systemd-udev subpackage (#1807462)
+- Move a bunch of other services to systemd-udev:
+  systemd-pstore.service, all fsck-related functionality,
+  systemd-volatile-root.service, systemd-verity-setup.service, and a few
+  other related files.
+- Fix daemon-reload rule to not kill non-systemd pid1 (#1803240)
+- Fix namespace-related failure when starting systemd-homed (#1807465) and
+  group lookup failure in nss_systemd (#1809147)
+- Drop autogenerated BOOT_IMAGE= parameter from stored kernel command lines
+  (#1716164)
+- Don't require /proc to be mounted for systemd-sysusers to work (#1807768)
+
+* Fri Feb 21 2020 Filipe Brandenburger <filbranden@gmail.com> - 245~rc1-4
+- Update daemon-reexec fallback to check whether the system is booted with
+  systemd as PID 1 and check whether we're upgrading before using kill -TERM
+  on PID 1 (#1803240)
+
+* Thu Feb 20 2020 Filipe Brandenburger <filbranden@fb.com> - 244-2.fb3
+- Only kill -TERM 1 when systemd is actually running.
+
+* Tue Feb 18 2020 Adam Williamson <awilliam@redhat.com> - 245~rc1-3
+- Revert 097537f0 to fix plymouth etc. running when they shouldn't (#1803293)
+
+* Fri Feb  7 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245~rc1-2
+- Add default 'disable *' preset for user units (#1792474, #1468501),
+  see https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units.
+- Add macro to generate "compat" scriptlets based off sysusers.d format
+  and autogenerate user() and group() virtual provides (#1792462),
+  see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format.
+- Revert patch to udev rules causing regression with usb hubs (#1800820).
+
+* Thu Feb  6 2020 Anita Zhang <anitazha@fb.com> - 244-2.fb2
+- Backport PR#14815 (Permissive syscall filtering in dbus-execute)
+
+* Wed Feb  5 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 245~rc1-1
+- New upstream release, see
+  https://raw.githubusercontent.com/systemd/systemd/v245-rc1/NEWS.
+
+  This release includes completely new functionality: systemd-repart,
+  systemd-homed, user reconds in json, and multi-instantiable
+  journald, and a partial rework of internal communcation to use
+  varlink, and bunch of more incremental changes.
+
+  The "predictable" interface name naming scheme is changed,
+  net.naming-scheme= can be used to undo the change. The change applies
+  to container interface names on the host.
+
+- Fixes #1774242, #1787089, #1798414/CVE-2020-1712.
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan  9 2020 Anita Zhang <anitazha@fb.com> - 244-2.fb1
+- Facebook rebuild
+- Backport PR#13823 (PrivateUsers=true for unprivileged user managers)
+- Backport PR#14441 (Fix type.d drop-in ordering)
+
+* Sat Dec 21 2019  <zbyszek@nano-f31> - 244.1-2
+- Disable service watchdogs (for systemd units)
+
+* Sun Dec 15 2019  <zbyszek@nano-f31> - 244.1-1
+- Update to latest stable batch (systemd-networkd fixups, better
+  support for seccomp on s390x, minor cleanups to documentation).
+- Drop patch to revert addition of NoNewPrivileges to systemd units
+
+* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244-1
+- Update to latest version. Just minor bugs fixed since the pre-release.
+
+* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244~rc1-1
+- Update to latest pre-release version,
+  see https://github.com/systemd/systemd/blob/master/NEWS#L3.
+  Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev,
+  systemd-networkd does not create a default route for link local addressing,
+  systemd-networkd supports dynamic reconfiguration and a bunch of new settings.
+  Network files support matching on WLAN SSID and BSSID.
+- Better error messages when preset/enable/disable are used with a glob (#1763488)
+- u2f-hidraw-policy package is obsoleted (#1753381)
+
+* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243.4
+- Latest bugfix release. Systemd-stable snapshots will now be numbered.
+- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148)
+- systemd-modules-load.service should only warn, not fail, on error (#1254340)
+- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726,
+  CVE-2018-21029)
+- Fix regression with crypttab keys with colons
+- Various memleaks and minor memory access issues, warning adjustments
+
+* Thu Oct 31 2019 Davide Cavalca <dcavalca@fb.com> - 243-2.fb3
+- Backport PR#13754 (allow restart for oneshot units)
+- Misc specfiles fixes to support building on el8 as well
+- Default el8 builds to the unified hierarchy
+
+* Fri Oct 18 2019 Adam Williamson <awilliam@redhat.com> - 243-4.gitef67743
+- Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240)
+
+* Thu Oct 10 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243-3.gitef67743
+- Various minor documentation and error message cleanups
+- Do not use cgroup v1 hierarchy in nspawn on groups v2 (#1756143)
+
+* Wed Oct  2 2019 Davide Cavalca <dcavalca@fb.com> - 243-2.fb2
+- Backport PR#13689 (a bunch of protection-related fixes)
+
+* Fri Sep 27 2019 Davide Cavalca <dcavalca@fb.com> - 243-2.fb1
+- Facebook rebuild
+- drop "use bfq as the default scheduler" patch
+- backport PR#13369 (ExecXYZEx= bus hook ups)
+- disable udev-test.pl for now due to flakiness
+
+* Sat Sep 21 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243-2.gitfab6f01
+- Backport a bunch of patches (memory access issues, improvements to error
+  reporting and handling in networkd, some misleading man page contents #1751363)
+- Fix permissions on static nodes (#1740664)
+- Make systemd-networks follow the RFC for DHPCv6 and radv timeouts
+- Fix one crash in systemd-resolved (#1703598)
+- Make journal catalog creation reproducible (avoid unordered hashmap use)
+- Mark the accelerometer in HP laptops as part of the laptop base
+- Fix relabeling of directories with relabel-extra.d/
+- Fix potential stuck noop jobs in pid1
+- Obsolete timedatex package (#1735584)
+
+* Tue Sep  3 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243-1
+- Update to latest release
+- Emission of Session property-changed notifications from logind is fixed
+  (this was breaking the switching of sessions to and from gnome).
+- Security issue: unprivileged users were allowed to change DNS
+  servers configured in systemd-resolved. Now proper polkit authorization
+  is required.
+
+* Mon Aug 26 2019 Adam Williamson <awilliam@redhat.com> - 243~rc2-2
+- Backport PR #13406 to solve PATH ordering issue (#1744059)
+
+* Thu Aug 22 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243~rc2-1
+- Update to latest pre-release. Fixes #1740113, #1717712.
+- The default scheduler for disks is set to BFQ (1738828)
+- The default cgroup hierarchy is set to unified (cgroups v2) (#1732114).
+  Use systemd.unified-cgroup-hierarchy=0 on the kernel command line to revert.
+  See https://fedoraproject.org/wiki/Changes/CGroupsV2.
+
+* Wed Aug 07 2019 Adam Williamson <awilliam@redhat.com> - 243~rc1-2
+- Backport PR #1737362 so we own /etc/systemd/system again (#1737362)
+
+* Wed Aug 7 2019 Anita Zhang <anitazha@fb.com> - 242-2.fb4
+- Backport PR#12933 (core: ExecCondition= for services)
+- Backport PR#13096 (Preparatory work for the unit loading rework)
+- Backport PR#13119 (Rework unit loading to take into account all aliases)
+
+* Tue Jul 30 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243~rc1-1
+- Update to latest version (#1715699, #1696373, #1711065, #1718192)
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Jul 20 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242-6.git9d34e79
+- Ignore bad rdrand output on AMD CPUs (#1729268)
+- A bunch of backported patches from upstream: documentation, memory
+  access fixups, command output tweaks (#1708996)
+
+* Thu Jul 18 2019 Anita Zhang <anitazha@fb.com> - 242-2.fb3
+- Backport PR#12346 (make sure accept_flush() doesn't hang on EOPNOTSUPP)
+- Backport PR#12979 (add SystemCallErrorNumber=EPERM to systemd-portabled.service)
+
+* Tue Jun 25 2019 Björn Esser <besser82@fedoraproject.org>- 242-5.git7a6d834
+- Rebuilt (libqrencode.so.4)
+
+* Tue Jun 25 2019 Miro Hrončok <mhroncok@redhat.com>- 242-4.git7a6d834
+- Rebuilt for iptables update (libip4tc.so.2)
+
+* Thu Jun 20 2019 Anita Zhang <anitazha@fb.com> - 242-2.fb2
+- Backport PR#11778 (ExecStartXYZEx= dbus support)
+- Backport PR#12729 (nspawn: don't hard fail when setting capabilities)
+- Backport PR#12745 (IPAddressXYZ="any" for users with CAP_NET_ADMIN)
+
+* Fri Apr 26 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242-3.git7a6d834
+- Add symbol to mark vtable format changes (anything using sd_add_object_vtable
+  or sd_add_fallback_vtable needs to be rebuilt)
+- Fix wireguard ListenPort handling in systemd-networkd
+- Fix hang in flush_accept (#1702358)
+- Fix handling of RUN keys in udevd
+- Some documentation and shell completion updates and minor fixes
+
+* Thu Apr 25 2019 Davide Cavalca <dcavalca@fb.com> - 242-2.fb1
+- Facebook rebuild
+- Backport PR#12336 (support DisableControllers= for transient units)
+
+* Tue Apr 16 2019 Adam Williamson <awilliam@redhat.com> - 242-2
+- Rebuild with Meson fix for #1699099
+
+* Thu Apr 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242-1
+- Update to latest release
+- Make scriptlet failure non-fatal
+
+* Tue Apr  9 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242~rc4-1
+- Update to latest prerelease
+
+* Thu Apr  4 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242~rc3-1
+- Update to latest prerelease
+
+* Wed Apr  3 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 242~rc2-1
+- Update to the latest prerelease.
+- The bug reported on latest update that systemd-resolved and systemd-networkd are
+  re-enabled after upgrade is fixed.
+
+* Fri Mar 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-4.gitcbf14c9
+- Backport various patches from the v241..v242 range:
+  kernel-install will not create the boot loader entry automatically (#1648907),
+  various bash completion improvements (#1183769),
+  memory leaks and such (#1685286).
+
+* Fri Mar 22 2019 Davide Cavalca <dcavalca@fb.com> - 241-1.fb2
+- Backport PR#11754 (sd-bus fixes for CVE-2019-6454)
+- Backport PR#12078 (nspawn fix)
+
+* Thu Mar 14 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-3.gitc1f8ff8
+- Declare hyperv and framebuffer devices master-of-seat again (#1683197)
+
+* Wed Feb 27 2019 Davide Cavalca <dcavalca@fb.com> - 241-1.fb1
+- Facebook rebuild
+- Rebase fio udev patch (this will likely be dropped in the next release)
+- Drop the mock testing patches, not needed anymore
+- Ignore errors for Python bytecompiling due to run-unit-tests.py
+- Fix the run-unit-tests.py shebang to use python36
+- Backport PR#11831 (missing include) and PR#11836 (test-chown-rec fix)
+
+* Wed Feb 20 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241-2.gita09c170
+- Prevent buffer overread in systemd-udevd
+- Properly validate dbus paths received over dbus (#1678394, CVE-2019-6454)
+
+* Sat Feb  9 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241~rc2-2
+- Turn LTO back on
+
+* Tue Feb  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241~rc2-1
+- Update to latest release -rc2
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Jan 27 2019 Yu Watanabe <watanabe.yu@gmail.com> - 241~rc1-2
+- Backport a patch for kernel-install
+
+* Sat Jan 26 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 241~rc1-1
+- Update to latest release -rc1
+
+* Tue Jan 15 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-6.gitf02b547
+- Add a work-around for #1663040
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org>
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-4.gitf02b547
+- Add a work-around for selinux issue on live images (#1663040)
+
+* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-3.gitf02b547
+- systemd-journald and systemd-journal-remote reject entries which
+  contain too many fields (CVE-2018-16865, #1664973) and set limits on the
+  process' command line length (CVE-2018-16864, #1664972)
+- $DBUS_SESSION_BUS_ADDRESS is again exported by pam_systemd (#1662857)
+- A fix for systemd-udevd crash (#1662303)
+
+* Sat Dec 22 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-2
+- Add two more patches that revert recent udev changes
+
+* Fri Dec 21 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-1
+- Update to latest release
+  See https://github.com/systemd/systemd/blob/master/NEWS for the list of changes.
+
+* Mon Dec 17 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-10.git9f3aed1
+- Hibernation checks for resume= are rescinded (#1645870)
+- Various patches:
+  - memory issues in logind, networkd, journald (#1653068), sd-device, etc.
+  - Adaptations for newer meson, lz4, kernel
+  - Fixes for misleading bugs in documentation
+- net.ipv4.conf.all.rp_filter is changed from 1 to 2
+
+* Mon Dec 10 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb6
+- Backport PR#10411 and PR#10493 (systemd-analyze timespan command)
+- Rebase our PR#10507 and PR#10567 backports onto the version merged upstream
+- Backport PR#10757 (cgroup2 BPF devices fixes)
+- Backport PR#10876 (cgroup_subtree_mask propagation fix)
+
+* Thu Nov 29 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+- Adjust scriptlets to modify /etc/authselect/user-nsswitch.conf
+  (see https://github.com/pbrezina/authselect/issues/77)
+- Drop old scriptlets for nsswitch.conf modifications for nss-mymachines and nss-resolve
+
+* Sun Nov 18 2018 Alejandro Domínguez Muñoz <adomu@net-c.com>
+- Remove link creation for rsyslog.service
+
+* Thu Nov  8 2018 Adam Williamson <awilliam@redhat.com> - 239-9.git9f3aed1
+- Go back to using systemctl preset-all in %%post (#1647172, #1118740)
+
+* Mon Nov  5 2018 Adam Williamson <awilliam@redhat.com> - 239-8.git9f3aed1
+- Requires(post) openssl-libs to fix live image build machine-id issue
+  See: https://pagure.io/dusty/failed-composes/issue/960
+
+* Mon Nov  5 2018 Yu Watanabe <watanabe.yu@gmail.com>
+- Set proper attributes to private directories
+
+* Fri Nov  2 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb5
+- Backport PR#10507 (don't require CPU controller for CPU accounting)
+- Backport PR#10567 (DisableControllers= directive)
+
+* Fri Nov  2 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-7.git9f3aed1
+- Split out the rpm macros into systemd-rpm-macros subpackage (#1645298)
+
+* Sun Oct 28 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-6.git9f3aed1
+- Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076)
+- Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071)
+- Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067)
+- The DHCP server is started only when link is UP
+- DHCPv6 prefix delegation is improved
+- Downgrade logging of various messages and add loging in other places
+- Many many fixes in error handling and minor memory leaks and such
+- Fix typos and omissions in documentation
+- Typo in %%_environmnentdir rpm macro is fixed (with backwards compatiblity preserved)
+- Matching by MACAddress= in systemd-networkd is fixed
+- Creation of user runtime directories is improved, and the user
+  manager is only stopped after 10 s after the user logs out (#1642460 and other bugs)
+- systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0
+- Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression.
+- "systemctl --wait start" exits immediately if no valid units are named
+- zram devices are not considered as candidates for hibernation
+- ECN is not requested for both in- and out-going connections (the sysctl overide for net.ipv4.tcp_ecn is removed)
+- Various smaller improvements to unit ordering and dependencies
+- generators are now called with the manager's environment
+- Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues
+- The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where
+  the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents.
+- Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user
+  threads are used by bpfilter.
+- "noresume" can be used on the kernel command line to force normal boot even if a hibernation images is present
+- Hibernation is not advertised if resume= is not present on the kernenl command line
+- Hibernation/Suspend/... modes can be disabled using AllowSuspend=,
+  AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep=
+- LOGO= and DOCUMENTATION_URL= are documented for the os-release file
+- The hashmap mempool is now only used internally in systemd, and is disabled for external users of the systemd libraries
+- Additional state is serialized/deserialized when logind is restarted, fixing the handling of user objects
+- Catalog entries for the journal are improved (#1639482)
+- If suspend fails, the post-suspend hooks are still called.
+- Various build issues on less-common architectures are fixed
+
+* Fri Oct 12 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb4
+- Backport PR#10062 (cgroup2 BPF device controller support)
+- Backport PR#10203, PR#10363 (tests fixes for supplementary groups)
+- Backport PR#10368 (%g, %G specifiers support)
+- Add hostname to BuildRequires (it's needed by test-execute)
+- Reenable test-execute now that it's finally working
+
+* Wed Oct  3 2018 Jan Synáček <jsynacek@redhat.com> - 239-5
+- Fix meson using -Ddebug, which results in FTBFS
+- Fix line_begins() to accept word matching full string (#1631840)
+
+* Mon Sep 10 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-4
+- Move /etc/yum/protected.d/systemd.conf to /etc/dnf/ (#1626969)
+
+* Fri Aug 24 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb3
+- backport new version of guro's cgroup2 BPF device controller patch
+
+* Wed Jul 18 2018 Terje Rosten <terje.rosten@ntnu.no> - 239-3
+- Ignore return value from systemd-binfmt in scriptlet (#1565425)
+
+* Sun Jul 15 2018 Filipe Brandenburger <filbranden@gmail.com>
+- Override systemd-user PAM config in install and not prep
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul  4 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb2
+- backport PR#9460 (followup to PR#9410)
+- backport PR#9500 (support for StandardOutput=append:)
+- revert c58fd46 (part of PR#8403) to workaround a FB-specific build issue
+
+* Mon Jun 25 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+- Rebuild for Python 3.7 again
+
+* Mon Jun 25 2018 Davide Cavalca <dcavalca@fb.com> - 239-1.fb1
+- Facebook rebuild
+- backport PR#9244 and PR#9247 (new cgroup2 features)
+- backport PR#9410 (gnutls detection, fix for #9403)
+
+* Fri Jun 22 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-1
+- Update to latest version, mostly bug fixes and new functionality,
+  very little breaking changes. See
+  https://github.com/systemd/systemd/blob/v239/NEWS for details.
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com>
+- Rebuilt for Python 3.7
+
+* Thu May 31 2018 Davide Cavalca <dcavalca@fb.com> - 238-7.fb3
+- Update cgroup2 BPF device controller patches
+- Backport PR#9148 to mitigate pid watching issue on git
+
+* Tue May 15 2018 Davide Cavalca <dcavalca@fb.com> - 238-7.fb2
+- Backport htejun's io.latency patch
+- Backport guro's cgroup2 BPF device controller patch
+
+* Fri May 11 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-8.git0e0aa59
+- Backport a number of patches (documentation, hwdb updates)
+- Fixes for tmpfiles 'e' entries
+- systemd-networkd crashes
+- XEN virtualization detection on hyper-v
+- Avoid relabelling /sys/fs/cgroup if not needed (#1576240)
+
+* Wed Apr 18 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-7.fc28.1
+- Allow fake Delegate= setting on slices (#1568594)
+
+* Thu Apr  5 2018 Davide Cavalca <dcavalca@fb.com> - 238-7.fb1
+- Facebook rebuild
+- Reenable tests (except test-execute which is still broken)
+
+* Wed Mar 28 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-7
+- Move udev transfiletriggers to the right package, fix quoting
+
+* Tue Mar 27 2018 Colin Walters <walters@verbum.org> - 238-6
+- Use shell for triggers; see https://github.com/systemd/systemd/pull/8550
+  This fixes compatibility with rpm-ostree.
+
+* Tue Mar 20 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-5
+- Backport patch to revert inadvertent change of "predictable" interface name (#1558027)
+
+* Fri Mar 16 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-4
+- Do not close dbus connection during dbus reload call (#1554578)
+
+* Wed Mar  7 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-3
+- Revert the patches for GRUB BootLoaderSpec support
+- Add patch for /etc/machine-id creation (#1552843)
+
+* Tue Mar  6 2018 Yu Watanabe <watanabe.yu@gmail.com> - 238-2
+- Fix transfiletrigger script (#1551793)
+
+* Mon Mar  5 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-1
+- Update to latest version
+- This fixes a hard-to-trigger potential vulnerability (CVE-2018-6954)
+- New transfiletriggers are installed for udev hwdb and rules, the journal
+  catalog, sysctl.d, binfmt.d, sysusers.d, tmpfiles.d.
+
+* Tue Feb 27 2018 Javier Martinez Canillas <javierm@redhat.com> - 237-7.git84c8da5
+- Add patch to install kernel images for GRUB BootLoaderSpec support
+
+* Mon Feb 26 2018 Davide Cavalca <dcavalca@fb.com> - 237-1.fb3
+- Backport PR#8115 to properly fix GH#8194
+
+* Sat Feb 24 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-6.git84c8da5
+- Create /etc/systemd in %%post libs if necessary (#1548607)
+
+* Fri Feb 23 2018 Adam Williamson <awilliam@redhat.com> - 237-5.git84c8da5
+- Use : not touch to create file in -libs %%post
+
+* Thu Feb 22 2018 Davide Cavalca <dcavalca@fb.com> - 237-1.fb2
+- Add workaround for an issue with systemd-nspawn -u affecting mock (GH#8194)
+
+* Thu Feb 22 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 237-4.git84c8da5
+- Add coreutils dep for systemd-libs %%post
+- Add patch to typecast USB IDs to avoid compile failure
+
+* Wed Feb 21 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-3.git84c8da5
+- Update some patches for test skipping that were updated upstream
+  before merging
+- Add /usr/lib/systemd/purge-nobody-user — a script to check if nobody is defined
+  correctly and possibly replace existing mappings
+
+* Tue Feb 20 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-2.gitdff4849
+- Backport a bunch of patches, most notably for the journal and various
+  memory issues. Some minor build fixes.
+- Switch to new ldconfig macros that do nothing in F28+
+- /etc/systemd/dont-synthesize-nobody is created in %%post if nfsnobody
+  or nobody users are defined (#1537262)
+
+* Mon Feb 12 2018 Davide Cavalca <dcavalca@fb.com> - 237-1.fb1
+- Facebook rebuild
+- Backport configurable docdir patch from master (PR#8068)
+- Ensure split-files.py is run with python36
+- Set nfs/nfsnobody as nobody users
+- Add pcre2-devel dependecy for journalctl --grep
+- Disable tests for now as they're failing randomly when building in mock
+- Use 10485760 as container base for Facebook to avoid conflicting with LDAP
+- Backport PID file symlink chain checks fix from master (PR#8133)
+
+* Fri Feb  9 2018 Zbigniew Jędrzejeweski-Szmek <zbyszek@in.waw.pl> - 237-1.git78bd769
+- Update to first stable snapshot (various minor memory leaks and misaccesses,
+  some documentation bugs, build fixes).
+
+* Sun Jan 28 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 237-1
+- Update to latest version
+
+* Sun Jan 21 2018 Björn Esser <besser82@fedoraproject.org> - 236-4.git3e14c4c
+- Add patch to include <crypt.h> if needed
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 236-3.git3e14c4c
+- Rebuilt for switch to libxcrypt
+
+* Thu Jan 11 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 236-2.git23e14c4
+- Backport a bunch of bugfixes from upstream (#1531502, #1531381, #1526621
+  various memory corruptions in systemd-networkd)
+- /dev/kvm is marked as a static node which fixes permissions on s390x
+  and ppc64 (#1532382)
+
+* Fri Dec 15 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 236-1
+- Update to latest version
+
+* Mon Dec 11 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 235-5.git4a0e928
+- Update to latest git snapshot, do not build for realz
+- Switch to libidn2 again (#1449145)
+
+* Tue Nov 07 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 235-4
+- Rebuild for cryptsetup-2.0.0-0.2.fc28
+
+* Wed Oct 25 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 235-3
+- Backport a bunch of patches, including LP#172535
+
+* Wed Oct 18 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 235-2
+- Patches for cryptsetup _netdev
+
+* Mon Oct  9 2017 Davide Cavalca <dcavalca@fb.com> - 235-1.fb1
+- Facebook rebuild
+
+* Fri Oct  6 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 235-1
+- Update to latest version
+
+* Tue Sep 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 234-8
+- Backport /etc/crypttab _netdev feature from upstream
+
+* Thu Sep 21 2017 Michal Sekletar <msekleta@redhat.com> - 234-7
+- Make sure to remove all device units sharing the same sysfs path (#1475570)
+
+* Mon Sep 18 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 234-6
+- Bump xslt recursion limit for libxslt-1.30
+
+* Mon Sep 18 2017 Davide Cavalca <dcavalca@fb.com> - 234-5.fb2
+- backport build fix for O_TMPFILE from PR#6816
+
+* Tue Aug  8 2017 Davide Cavalca <dcavalca@fb.com> - 234-5.fb1
+- new upstream release
+- drop compat-libs patch in favor of separate systemd-compat-libs project
+- force locale to UTF-8 to make meson happy
+- disable broken test-execute
+- backport nsdelegate support from PR#6294
+
+* Mon Jul 31 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 234-5
+- Backport more patches (#1476005, hopefully #1462378)
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jul 17 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 234-3
+- Fix x-systemd.timeout=0 in /etc/fstab (#1462378)
+- Minor patches (memleaks, --help fixes, seccomp on arm64)
+
+* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 234-2
+- Create kvm group (#1431876)
+
+* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 234-1
+- Latest release
+
+* Sat Jul  1 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-7.git74d8f1c
+- Update to snapshot
+- Build with meson again
+
+* Tue Jun 27 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-6
+- Fix an out-of-bounds write in systemd-resolved (CVE-2017-9445)
+
+* Sat Jun 17 2017 Peter Blair <pmb@fb.com> - 233-2.fb2
+- Apply patch from CVE-2017-9445
+
+* Fri Jun 16 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-5.gitec36d05
+- Update to snapshot version, build with meson
+
+* Thu Jun 15 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-4
+- Backport a bunch of small fixes (memleaks, wrong format strings,
+  man page clarifications, shell completion)
+- Fix systemd-resolved crash on crafted DNS packet (CVE-2017-9217, #1455493)
+- Fix systemd-vconsole-setup.service error on systems with no VGA console (#1272686)
+- Drop soft-static uid for systemd-journal-gateway
+- Use ID from /etc/os-release as ntpvendor
+
+* Thu Apr 13 2017 Davide Cavalca <dcavalca@fb.com> - 233-2.fb1
+- New upstream release
+- disable a couple of broken tests
+- default to legacy hierarchy for now
+
+* Wed Apr 12 2017 Davide Cavalca <dcavalca@fb.com> - 231-11.fb2
+- fix lz4 depends to pick the right package
+
+* Mon Apr  3 2017 Davide Cavalca <dcavalca@fb.com> - 231-11.fb1
+- use facebook macro to gate Facebook-specific settings
+- rebuild against new RPM backport
+- update patches
+
+* Thu Mar 16 2017 Michal Sekletar <msekleta@redhat.com> - 233-3
+- Backport bugfixes from upstream
+- Don't return error when machinectl couldn't figure out container IP addresses (#1419501)
+
+* Tue Mar 14 2017 Patrick White <pwhite@fb.com> - 231-2.fb4
+- add poettering patch to fix hitting an assert (PR#4447)
+
+* Thu Mar  2 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-2
+- Fix installation conflict with polkit
+
+* Thu Mar  2 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-1
+- New upstream release (#1416201, #1405439, #1420753, many others)
+- New systemd-tests subpackage with "installed tests"
+
+* Thu Feb 16 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-15
+- Add %%ghost %%dir entries for .wants dirs of our targets (#1422894)
+
+* Tue Feb 14 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-14
+- Ignore the hwdb parser test
+
+* Tue Feb 14 2017 Jan Synáček <jsynacek@redhat.com> - 232-14
+- machinectl fails when virtual machine is running (#1419501)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 232-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Jan 31 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-12
+- Backport patch for initrd-switch-root.service getting killed (#1414904)
+- Fix sd-journal-gatewayd -D, --trust, and COREDUMP_CONTAINER_CMDLINE
+  extraction by sd-coredump.
+
+* Sun Jan 29 2017 zbyszek <zbyszek@in.waw.pl> - 232-11
+- Backport a number of patches (#1411299, #1413075, #1415745,
+                                ##1415358, #1416588, #1408884)
+- Fix various memleaks and unitialized variable access
+- Shell completion enhancements
+- Enable TPM logging by default (#1411156)
+- Update hwdb (#1270124)
+
+* Thu Jan 19 2017 Adam Williamson <awilliam@redhat.com> - 232-10
+- Backport fix for boot failure in initrd-switch-root (#1414904)
+
+* Wed Jan 18 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-9
+- Add fake dependency on systemd-pam to systemd-devel to ensure systemd-pam
+  is available as multilib (#1414153)
+
+* Tue Jan 17 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-8
+- Fix buildsystem to check for lz4 correctly (#1404406)
+
+* Wed Jan 11 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-7
+- Various small tweaks to scriplets
+
+* Sat Jan 07 2017 Kevin Fenzi <kevin@scrye.com> - 232-6
+- Fix scriptlets to never fail in libs post
+
+* Fri Jan 06 2017 Kevin Fenzi <kevin@scrye.com> - 232-5
+- Add patch from Michal Schmidt to avoid process substitution (#1392236)
+
+* Sun Nov  6 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-4
+- Rebuild (#1392236)
+
+* Fri Nov  4 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-3
+- Make /etc/dbus-1/system.d directory non-%%ghost
+
+* Fri Nov  4 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-2
+- Fix kernel-install (#1391829)
+- Restore previous systemd-user PAM config (#1391836)
+- Move journal-upload.conf.5 from systemd main to journal-remote subpackage (#1391833)
+- Fix permissions on /var/lib/systemd/journal-upload (#1262665)
+
+* Thu Nov  3 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-1
+- Update to latest version (#998615, #1181922, #1374371, #1390704, #1384150, #1287161)
+- Add %%{_isa} to Provides on arch-full packages (#1387912)
+- Create systemd-coredump user in %%pre (#1309574)
+- Replace grubby patch with a short-circuiting install.d "plugin"
+- Enable nss-systemd in the passwd, group lines in nsswith.conf
+- Add [!UNAVAIL=return] fallback after nss-resolve in hosts line in nsswith.conf
+- Move systemd-nspawn man pages to the right subpackage (#1391703)
+
+* Tue Oct 18 2016 Jan Synáček <jsynacek@redhat.com> - 231-11
+- SPC - Cannot restart host operating from container (#1384523)
+
+* Sun Oct  9 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-10
+- Do not recreate /var/log/journal on upgrades (#1383066)
+- Move nss-myhostname provides to systemd-libs (#1383271)
+
+* Fri Oct  7 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-9
+- Fix systemctl set-default (#1374371)
+- Prevent systemd-udev-trigger.service from restarting (follow-up for #1378974)
+
+* Tue Oct  4 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-8
+- Apply fix for #1378974
+
+* Mon Oct  3 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-7
+- Apply patches properly
+
+* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-6
+- Better fix for (#1380286)
+
+* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-5
+- Denial-of-service bug against pid1 (#1380286)
+
+* Thu Aug 25 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 231-4
+- Fix preset-all (#1363858)
+- Fix issue with daemon-reload messing up graphics (#1367766)
+- A few other bugfixes
+
+* Wed Aug 10 2016 Davide Cavalca <dcavalca@fb.com> - 231-2.fb3
+- add mpawlowski root filesystem namespace patch for #12621017
+- add htejun patch for cgroup2 cpu controller (PR#3905)
+- update htejun logind patch from PR#3835
+
+* Wed Aug 03 2016 Adam Williamson <awilliam@redhat.com> - 231-3
+- Revert preset-all change, it broke stuff (#1363858)
+
+* Thu Jul 28 2016 Davide Cavalca <dcavalca@fb.com> - 231-2.fb2
+- add /dev/fio patch from bwann for GH#3718
+- import PR#3821 updates and rebase patches on github
+- add htejun logind patch for UserTasksMax (#12460186, PR#3835)
+
+* Wed Jul 27 2016 Davide Cavalca <dcavalca@fb.com> - 231-2.fb1
+- Facebook rebuild
+- Fix test failures in mock (#7950934, PR#3821)
+- drop fsck on root patch now that we have the new dracut (see PR#3822)
+- Rework LTO disable patch to be conditional (#11565880, PR#3823)
+- update compat-libs and rebase onto public branch
+  (https://github.com/davide125/systemd/tree/compat-libs)
+- add back python support now that we have python34-lxml
+- add back xkbcommon support as it's available in rolling os updates
+
+* Wed Jul 27 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@bupkis> - 231-2
+- Call preset-all on initial installation (#1118740)
+- Fix botched Recommends for libxkbcommon
+
+* Tue Jul 26 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@bupkis> - 231-1
+- Update to latest version
+
+* Tue Jul 19 2016 Davide Cavalca <dcavalca@fb.com> - 230-2.fb2
+- fix fsck for root filesystem on firstboot after install (#11352467)
+
+* Wed Jun  8 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 230-3
+- Update to latest git snapshot (fixes for systemctl set-default,
+  polkit lingering policy, reversal of the framebuffer rules,
+  unaligned access fixes, fix for StartupBlockIOWeight-over-dbus).
+  Those changes are interspersed with other changes and new features
+  (mostly in lldp, networkd, and nspawn). Some of those new features
+  might not work, but I think that existing functionality should not
+  be broken, so it seems worthwile to update to the snapshot.
+
+* Thu May 26 2016 Davide Cavalca <dcavalca@fb.com> - 230-2.fb1
+- Facebook rebuild
+- backport htejun PRs for cgroup2 (#3337, #3329, #3315, #3417, #3418)
+- add back compat-libs
+
+* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@bupkis> - 230-2
+- Remove systemd-compat-libs on upgrade
+
+* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@bupkis> - 230-1
+- New version
+- Drop compat-libs
+- Require libxkbcommon explictly, since the automatic dependency will
+  not be generated anymore
+
+* Thu May 12 2016 Tejun Heo <htejun@fb.com> - 229-1.fb6
+- backport https://github.com/systemd/systemd/pull/3246 to fix slice overrides
+
+* Mon May 09 2016 Davide Cavalca <dcavalca@fb.com> - 229-1.fb5
+- update Tejun Heo patches for cgroup2 io controller support
+
+* Fri Apr 29 2016 Davide Cavalca <dcavalca@fb.com> - 229-1.fb4
+- add Tejun Heo test patch for cgroup2 IO controllers support (#10638181)
+
+* Tue Apr 26 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@bupkis> - 229-15
+- Remove duplicated entries in -container %%files (#1330395)
+
+* Fri Apr 22 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-14
+- Move installation of udev services to udev subpackage (#1329023)
+
+* Mon Apr 18 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-13
+- Split out systemd-pam subpackage (#1327402)
+
+* Mon Apr 18 2016 Harald Hoyer <harald@redhat.com> - 229-12
+- move more binaries and services from the main package to subpackages
+
+* Mon Apr 18 2016 Harald Hoyer <harald@redhat.com> - 229-11
+- move more binaries and services from the main package to subpackages
+
+* Mon Apr 18 2016 Harald Hoyer <harald@redhat.com> - 229-10
+- move device dependant stuff to the udev subpackage
+
+* Thu Mar 24 2016 Davide Cavalca <dcavalca@fb.com> - 229-1.fb3
+- add Tejun Heo patches for cgroups v2 support (#10268183)
+
+* Tue Mar 22 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-9
+- Add myhostname to /etc/nsswitch.conf (#1318303)
+
+* Mon Mar 21 2016 Harald Hoyer <harald@redhat.com> - 229-8
+- fixed kernel-install for copying files for grubby
+Resolves: rhbz#1299019
+
+* Thu Mar 17 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-7
+- Moar patches (#1316964, #1317928)
+- Move vconsole-setup and tmpfiles-setup-dev bits to systemd-udev
+- Protect systemd-udev from deinstallation
+
+* Fri Mar 11 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-6
+- Create /etc/resolv.conf symlink from systemd-resolved (#1313085)
+
+* Fri Mar  4 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-5
+- Split out systemd-container subpackage (#1163412)
+- Split out system-udev subpackage
+- Add various bugfix patches, incl. a tentative fix for #1308771
+
+* Wed Mar 02 2016 Davide Cavalca <dcavalca@fb.com> - 229-1.fb2
+- revert RPM trigger macros for #10119506
+
+* Tue Mar  1 2016 Peter Robinson <pbrobinson@fedoraproject.org> 229-4
+- Power64 and s390(x) now have libseccomp support
+- aarch64 has gnu-efi
+
+* Tue Feb 23 2016 Jan Synáček <jsynacek@redhat.com> - 229-3
+- Fix build failures on ppc64 (#1310800)
+
+* Tue Feb 16 2016 Dennis Gilmore <dennis@ausil.us> - 229-2
+- revert: fixed kernel-install for copying files for grubby
+Resolves: rhbz#1299019
+- this causes the dtb files to not get installed at all and the fdtdir
+- line in extlinux.conf to not get updated correctly
+
+* Tue Feb 16 2016 Davide Cavalca <dcavalca@fb.com> - 229-1.fb1
+- Facebook rebuilt
+- disable LTO to fix a build segfault with LTO
+
+* Thu Feb 11 2016 Michal Sekletar <msekleta@redhat.com> - 229-1
+- New upstream release
+
+* Thu Feb 11 2016 Harald Hoyer <harald@redhat.com> - 228-10.gite35a787
+- fixed kernel-install for copying files for grubby
+Resolves: rhbz#1299019
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 228-9.gite35a787
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 27 2016 Peter Robinson <pbrobinson@fedoraproject.org> 228-8.gite35a787
+- Rebuild for binutils on aarch64 fix
+
+* Fri Jan 08 2016 Dan Horák <dan[at]danny.cz> - 228-7.gite35a787
+- apply the conflict with fedora-release only in Fedora
+
+* Thu Dec 10 2015 Jan Synáček <jsynacek@redhat.com> - 228-6.gite35a787
+- Fix rawhide build failures on ppc64 (#1286249)
+
+* Sun Nov 29 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 228-6.gite35a787
+- Create /etc/systemd/network (#1286397)
+
+* Thu Nov 26 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 228-5.gite35a787
+- Do not install nss modules by default
+
+* Tue Nov 24 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 228-4.gite35a787
+- Update to latest upstream git: there is a bunch of fixes
+  (nss-mymachines overflow bug, networkd fixes, more completions are
+  properly installed), mixed with some new resolved features.
+- Rework file triggers so that they always run before daemons are restarted
+
+* Mon Nov 23 2015 Davide Cavalca <dcavalca@fb.com> - 228-3.fb1
+- Facebook rebuilt
+- disable test-namespace
+- revert rpm file triggers as they don't work on el7
+
+* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 228-3
+- Enable rpm file triggers for daemon-reload
+
+* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 228-2
+- Fix version number in obsoleted package name (#1283452)
+
+* Wed Nov 18 2015 Kay Sievers <kay@redhat.com> - 228-1
+- New upstream release
+
+* Thu Nov 12 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 227-7
+- Rename journal-gateway subpackage to journal-remote
+- Ignore the access mode on /var/log/journal (#1048424)
+- Do not assume fstab is present (#1281606)
+
+* Wed Nov 11 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 227-6
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Tue Nov 10 2015 Lukáš Nykrýn <lnykryn@redhat.com> - 227-5
+- Rebuild for libmicrohttpd soname bump
+
+* Fri Nov 06 2015 Robert Kuska <rkuska@redhat.com> - 227-4
+- Rebuilt for Python3.5 rebuild
+
+* Wed Nov  4 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 227-3
+- Fix syntax in kernel-install (#1277264)
+
+* Tue Nov 03 2015 Michal Schmidt <mschmidt@redhat.com> - 227-2
+- Rebuild for libmicrohttpd soname bump.
+
+* Fri Oct 09 2015 Davide Cavalca <dcavalca@fb.com> - 227-1.fb1
+- disable tests broken on centos6
+- fix build with centos7 curl
+- kernel-install: add fedora specific callouts to new-kernel-pkg
+
+* Wed Oct  7 2015 Kay Sievers <kay@redhat.com> - 227-1
+- New upstream release
+
+* Fri Sep 18 2015 Jan Synáček <jsynacek@redhat.com> - 226-3
+- user systemd-journal-upload should be in systemd-journal group (#1262743)
+
+* Fri Sep 18 2015 Kay Sievers <kay@redhat.com> - 226-2
+- Add selinux to  system-user PAM config
+
+* Tue Sep  8 2015 Kay Sievers <kay@redhat.com> - 226-1
+- New upstream release
+
+* Thu Aug 27 2015 Kay Sievers <kay@redhat.com> - 225-1
+- New upstream release
+
+* Fri Jul 31 2015 Kay Sievers <kay@redhat.com> - 224-1
+- New upstream release
+
+* Wed Jul 29 2015 Kay Sievers <kay@redhat.com> - 223-2
+- update to git snapshot
+
+* Wed Jul 29 2015 Kay Sievers <kay@redhat.com> - 223-1
+- New upstream release
+
+* Thu Jul  9 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 222-2
+- Remove python subpackages (python-systemd in now standalone)
+
+* Tue Jul  7 2015 Kay Sievers <kay@redhat.com> - 222-1
+- New upstream release
+
+* Mon Jul  6 2015 Kay Sievers <kay@redhat.com> - 221-5.git619b80a
+- update to git snapshot
+
+* Mon Jul  6 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@laptop> - 221-4.git604f02a
+- Add example file with yama config (#1234951)
+
+* Sun Jul 5 2015 Kay Sievers <kay@redhat.com> - 221-3.git604f02a
+- update to git snapshot
+
+* Mon Jun 22 2015 Kay Sievers <kay@redhat.com> - 221-2
+- build systemd-boot EFI tools
+
+* Fri Jun 19 2015 Lennart Poettering <lpoetter@redhat.com> - 221-1
+- New upstream release
+- Undoes botched translation check, should be reinstated later?
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 220-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Jun 11 2015 Peter Robinson <pbrobinson@fedoraproject.org> 220-9
+- The gold linker is now fixed on aarch64
+
+* Tue Jun  9 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 220-8
+- Remove gudev which is now provided as separate package (libgudev)
+- Fix for spurious selinux denials (#1224211)
+- Udev change events (#1225905)
+- Patches for some potential crashes
+- ProtectSystem=yes does not touch /home
+- Man page fixes, hwdb updates, shell completion updates
+- Restored persistent device symlinks for bcache, xen block devices
+- Tag all DRM cards as master-of-seat
+
+* Tue Jun 09 2015 Harald Hoyer <harald@redhat.com> 220-7
+- fix udev block device watch
+
+* Tue Jun 09 2015 Harald Hoyer <harald@redhat.com> 220-6
+- add support for network disk encryption
+
+* Sun Jun  7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 220-5
+- Disable gold on aarch64 until it's fixed (tracked in rhbz #1225156)
+
+* Sat May 30 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 220-4
+- systemd-devel should require systemd-libs, not the main package (#1226301)
+- Check for botched translations (#1226566)
+- Make /etc/udev/hwdb.d part of the rpm (#1226379)
+
+* Thu May 28 2015 Richard W.M. Jones <rjones@redhat.com> - 220-3
+- Add patch to fix udev --daemon not cleaning child processes
+  (upstream commit 86c3bece38bcf5).
+
+* Wed May 27 2015 Richard W.M. Jones <rjones@redhat.com> - 220-2
+- Add patch to fix udev --daemon crash (upstream commit 040e689654ef08).
+
+* Thu May 21 2015 Lennart Poettering <lpoetter@redhat.com> - 220-1
+- New upstream release
+- Drop /etc/mtab hack, as that's apparently fixed in mock now (#1116158)
+- Remove ghosting for /etc/systemd/system/runlevel*.target, these
+  targets are not configurable anymore in systemd upstream
+- Drop work-around for #1002806, since this is solved upstream now
+
+* Wed May 20 2015 Dennis Gilmore <dennis@ausil.us> - 219-15
+- fix up the conflicts version for fedora-release
+
+* Wed May 20 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-14
+- Remove presets (#1221340)
+- Fix (potential) crash and memory leak in timedated, locking failure
+  in systemd-nspawn, crash in resolved.
+- journalctl --list-boots should be faster
+- zsh completions are improved
+- various ommissions in docs are corrected (#1147651)
+- VARIANT and VARIANT_ID fields in os-release are documented
+- systemd-fsck-root.service is generated in the initramfs (#1201979, #1107818)
+- systemd-tmpfiles should behave better on read-only file systems (#1207083)
+
+* Wed Apr 29 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-13
+- Patches for some outstanding annoyances
+- Small keyboard hwdb updates
+
+* Wed Apr  8 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-12
+- Tighten requirements between subpackages (#1207381).
+
+* Sun Mar 22 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-11
+- Move all parts systemd-journal-{remote,upload} to
+  systemd-journal-gatewayd subpackage (#1193143).
+- Create /var/lib/systemd/journal-upload directory (#1193145).
+- Cut out lots of stupid messages at debug level which were obscuring more
+  important stuff.
+- Apply "tentative" state for devices only when they are added, not removed.
+- Ignore invalid swap pri= settings (#1204336)
+- Fix SELinux check for timedated operations to enable/disable ntp (#1014315)
+- Fix comparing of filesystem paths (#1184016)
+
+* Sat Mar 14 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-10
+- Fixes for bugs 1186018, 1195294, 1185604, 1196452.
+- Hardware database update.
+- Documentation fixes.
+- A fix for journalctl performance regression.
+- Fix detection of inability to open files in journalctl.
+- Detect SuperH architecture properly.
+- The first of duplicate lines in tmpfiles wins again.
+- Do vconsole setup after loading vconsole driver, not fbcon.
+- Fix problem where some units were restarted during systemd reexec.
+- Fix race in udevadm settle tripping up NetworkManager.
+- Downgrade various log messages.
+- Fix issue where journal-remote would process some messages with a delay.
+- GPT /srv partition autodiscovery is fixed.
+- Reconfigure old Finnish keymaps in post (#1151958)
+
+* Tue Mar 10 2015 Jan Synáček <jsynacek@redhat.com> - 219-9
+- Buttons on Lenovo X6* tablets broken (#1198939)
+
+* Tue Mar  3 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 219-8
+- Reworked device handling (#1195761)
+- ACL handling fixes (with a script in %%post)
+- Various log messages downgraded (#1184712)
+- Allow PIE on s390 again (#1197721)
+
+* Wed Feb 25 2015 Michal Schmidt <mschmidt@redhat.com> - 219-7
+- arm: reenable lto. gcc-5.0.0-0.16 fixed the crash (#1193212)
+
+* Tue Feb 24 2015 Colin Walters <walters@redhat.com> - 219-6
+- Revert patch that breaks Atomic/OSTree (#1195761)
+
+* Fri Feb 20 2015 Michal Schmidt <mschmidt@redhat.com> - 219-5
+- Undo the resolv.conf workaround, Aim for a proper fix in Rawhide.
+
+* Fri Feb 20 2015 Michal Schmidt <mschmidt@redhat.com> - 219-4
+- Revive fedora-disable-resolv.conf-symlink.patch to unbreak composes.
+
+* Wed Feb 18 2015 Michal Schmidt <mschmidt@redhat.com> - 219-3
+- arm: disabling gold did not help; disable lto instead (#1193212)
+
+* Tue Feb 17 2015 Peter Jones <pjones@redhat.com> - 219-2
+- Update 90-default.present for dbxtool.
+
+* Mon Feb 16 2015 Lennart Poettering <lpoetter@redhat.com> - 219-1
+- New upstream release
+- This removes the sysctl/bridge hack, a different solution needs to be found for this (see #634736)
+- This removes the /etc/resolv.conf hack, anaconda needs to fix their handling of /etc/resolv.conf as symlink
+- This enables "%%check"
+- disable gold on arm, as that is broken (see #1193212)
+
+* Mon Feb 16 2015 Peter Robinson <pbrobinson@fedoraproject.org> 218-6
+- aarch64 now has seccomp support
+
+* Thu Feb 05 2015 Michal Schmidt <mschmidt@redhat.com> - 218-5
+- Don't overwrite systemd.macros with unrelated Source file.
+
+* Thu Feb  5 2015 Jan Synáček <jsynacek@redhat.com> - 218-4
+- Add a touchpad hwdb (#1189319)
+
+* Thu Jan 15 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 218-4
+- Enable xkbcommon dependency to allow checking of keymaps
+- Fix permissions of /var/log/journal (#1048424)
+- Enable timedatex in presets (#1187072)
+- Disable rpcbind in presets (#1099595)
+
+* Wed Jan  7 2015 Jan Synáček <jsynacek@redhat.com> - 218-3
+- RFE: journal: automatically rotate the file if it is unlinked (#1171719)
+
+* Mon Jan 05 2015 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 218-3
+- Add firewall description files (#1176626)
+
+* Thu Dec 18 2014 Jan Synáček <jsynacek@redhat.com> - 218-2
+- systemd-nspawn doesn't work on s390/s390x (#1175394)
+
+* Wed Dec 10 2014 Lennart Poettering <lpoetter@redhat.com> - 218-1
+- New upstream release
+- Enable "nss-mymachines" in /etc/nsswitch.conf
+
+* Thu Nov 06 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 217-4
+- Change libgudev1 to only require systemd-libs (#727499), there's
+  no need to require full systemd stack.
+- Fixes for bugs #1159448, #1152220, #1158035.
+- Bash completions updates to allow propose more units for start/restart,
+  and completions for set-default,get-default.
+- Again allow systemctl enable of instances.
+- Hardware database update and fixes.
+- Udev crash on invalid options and kernel commandline timeout parsing are fixed.
+- Add "embedded" chassis type.
+- Sync before 'reboot -f'.
+- Fix restarting of timer units.
+
+* Wed Nov 05 2014 Michal Schmidt <mschmidt@redhat.com> - 217-3
+- Fix hanging journal flush (#1159641)
+
+* Fri Oct 31 2014 Michal Schmidt <mschmidt@redhat.com> - 217-2
+- Fix ordering cycles involving systemd-journal-flush.service and
+  remote-fs.target (#1159117)
+
+* Tue Oct 28 2014 Lennart Poettering <lpoetter@redhat.com> - 217-1
+- New upstream release
+
+* Fri Oct 17 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-12
+- Drop PackageKit.service from presets (#1154126)
+
+* Mon Oct 13 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-11
+- Conflict with old versions of initscripts (#1152183)
+- Remove obsolete Finnish keymap (#1151958)
+
+* Fri Oct 10 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-10
+- Fix a problem with voluntary daemon exits and some other bugs
+  (#1150477, #1095962, #1150289)
+
+* Fri Oct 03 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-9
+- Update to latest git, but without the readahead removal patch
+  (#1114786, #634736)
+
+* Wed Oct 01 2014 Kay Sievers <kay@redhat.com> - 216-8
+- revert "don't reset selinux context during CHANGE events"
+
+* Wed Oct 01 2014 Lukáš Nykrýn <lnykryn@redhat.com> - 216-7
+- add temporary workaround for #1147910
+- don't reset selinux context during CHANGE events
+
+* Wed Sep 10 2014 Michal Schmidt <mschmidt@redhat.com> - 216-6
+- Update timesyncd with patches to avoid hitting NTP pool too often.
+
+* Tue Sep 09 2014 Michal Schmidt <mschmidt@redhat.com> - 216-5
+- Use common CONFIGURE_OPTS for build2 and build3.
+- Configure timesyncd with NTP servers from Fedora/RHEL vendor zone.
+
+* Wed Sep 03 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-4
+- Move config files for sd-j-remote/upload to sd-journal-gateway subpackage (#1136580)
+
+* Thu Aug 28 2014 Peter Robinson <pbrobinson@fedoraproject.org> 216-3
+- Drop no LTO build option for aarch64/s390 now it's fixed in binutils (RHBZ 1091611)
+
+* Thu Aug 21 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 216-2
+- Re-add patch to disable resolve.conf symlink (#1043119)
+
+* Wed Aug 20 2014 Lennart Poettering <lpoetter@redhat.com> - 216-1
+- New upstream release
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 215-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Aug 13 2014 Dan Horák <dan[at]danny.cz> 215-11
+- disable LTO also on s390(x)
+
+* Sat Aug 09 2014 Harald Hoyer <harald@redhat.com> 215-10
+- fixed PPC64LE
+
+* Wed Aug  6 2014 Tom Callaway <spot@fedoraproject.org> - 215-9
+- fix license handling
+
+* Wed Jul 30 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-8
+- Create systemd-journal-remote and systemd-journal-upload users (#1118907)
+
+* Thu Jul 24 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-7
+- Split out systemd-compat-libs subpackage
+
+* Tue Jul 22 2014 Kalev Lember <kalevlember@gmail.com> - 215-6
+- Rebuilt for gobject-introspection 1.41.4
+
+* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-5
+- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806)
+- Add missing BR so gnutls and elfutils are used
+
+* Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-4
+- Various man page updates
+- Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD
+  for better behaviour in containers
+- Some small networkd link handling fixes
+- vconsole-setup runs setfont before loadkeys (https://bugs.freedesktop.org/show_bug.cgi?id=80685)
+- New systemd-escape tool
+- XZ compression settings are tweaked to greatly improve journald performance
+- "watch" is accepted as chassis type
+- Various sysusers fixes, most importantly correct selinux labels
+- systemd-timesyncd bug fix (https://bugs.freedesktop.org/show_bug.cgi?id=80932)
+- Shell completion improvements
+- New udev tag ID_SOFTWARE_RADIO can be used to instruct logind to allow user access
+- XEN and s390 virtualization is properly detected
+
+* Mon Jul 07 2014 Colin Walters <walters@redhat.com> - 215-3
+- Add patch to disable resolve.conf symlink (#1043119)
+
+* Sun Jul 06 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-2
+- Move systemd-journal-remote to systemd-journal-gateway package (#1114688)
+- Disable /etc/mtab handling temporarily (#1116158)
+
+* Thu Jul 03 2014 Lennart Poettering <lpoetter@redhat.com> - 215-1
+- New upstream release
+- Enable coredump logic (which abrt would normally override)
+
+* Sun Jun 29 2014 Peter Robinson <pbrobinson@fedoraproject.org> 214-5
+- On aarch64 disable LTO as it still has issues on that arch
+
+* Thu Jun 26 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 214-4
+- Bugfixes (#996133, #1112908)
+
+* Mon Jun 23 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 214-3
+- Actually create input group (#1054549)
+
+* Sun Jun 22 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 214-2
+- Do not restart systemd-logind on upgrades (#1110697)
+- Add some patches (#1081429, #1054549, #1108568, #928962)
+
+* Wed Jun 11 2014 Lennart Poettering <lpoetter@redhat.com> - 214-1
+- New upstream release
+- Get rid of "floppy" group, since udev uses "disk" now
+- Reenable LTO
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 213-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Kay Sievers <kay@redhat.com> - 213-3
+- fix systemd-timesync user creation
+
+* Wed May 28 2014 Michal Sekletar <msekleta@redhat.com> - 213-2
+- Create temporary files after installation (#1101983)
+- Add sysstat-collect.timer, sysstat-summary.timer to preset policy (#1101621)
+
+* Wed May 28 2014 Kay Sievers <kay@redhat.com> - 213-1
+- New upstream release
+
+* Tue May 27 2014 Kalev Lember <kalevlember@gmail.com> - 212-6
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Fri May 23 2014 Adam Williamson <awilliam@redhat.com> - 212-5
+- revert change from 212-4, causes boot fail on single CPU boxes (RHBZ 1095891)
+
+* Wed May 07 2014 Kay Sievers <kay@redhat.com> - 212-4
+- add netns udev workaround
+
+* Wed May 07 2014 Michal Sekletar <msekleta@redhat.com> - 212-3
+- enable uuidd.socket by default (#1095353)
+
+* Sat Apr 26 2014 Peter Robinson <pbrobinson@fedoraproject.org> 212-2
+- Disable building with -flto for the moment due to gcc 4.9 issues (RHBZ 1091611)
+
+* Tue Mar 25 2014 Lennart Poettering <lpoetter@redhat.com> - 212-1
+- New upstream release
+
+* Mon Mar 17 2014 Peter Robinson <pbrobinson@fedoraproject.org> 211-2
+- Explicitly define which upstream platforms support libseccomp
+
+* Tue Mar 11 2014 Lennart Poettering <lpoetter@redhat.com> - 211-1
+- New upstream release
+
+* Mon Mar 10 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 210-8
+- Fix logind unpriviledged reboot issue and a few other minor fixes
+- Limit generator execution time
+- Recognize buttonless joystick types
+
+* Fri Mar 07 2014 Karsten Hopp <karsten@redhat.com> 210-7
+- ppc64le needs link warnings disabled, too
+
+* Fri Mar 07 2014 Karsten Hopp <karsten@redhat.com> 210-6
+- move ifarch ppc64le to correct place (libseccomp req)
+
+* Fri Mar 07 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 210-5
+- Bugfixes: #1047568, #1047039, #1071128, #1073402
+- Bash completions for more systemd tools
+- Bluetooth database update
+- Manpage fixes
+
+* Thu Mar 06 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 210-4
+- Apply work-around for ppc64le too (#1073647).
+
+* Sat Mar 01 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 210-3
+- Backport a few patches, add completion for systemd-nspawn.
+
+* Fri Feb 28 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 210-3
+- Apply work-arounds for ppc/ppc64 for bugs 1071278 and 1071284
+
+* Mon Feb 24 2014 Lennart Poettering <lpoetter@redhat.com> - 210-2
+- Check more services against preset list and enable by default
+
+* Mon Feb 24 2014 Lennart Poettering <lpoetter@redhat.com> - 210-1
+- new upstream release
+
+* Sun Feb 23 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 209-2.gitf01de96
+- Enable dnssec-triggerd.service by default (#1060754)
+
+* Sun Feb 23 2014 Kay Sievers <kay@redhat.com> - 209-2.gitf01de96
+- git snapshot to sort out ARM build issues
+
+* Thu Feb 20 2014 Lennart Poettering <lpoetter@redhat.com> - 209-1
+- new upstream release
+
+* Tue Feb 18 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-15
+- Make gpsd lazily activated (#1066421)
+
+* Mon Feb 17 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-14
+- Back out patch which causes user manager to be destroyed when unneeded
+  and spams logs (#1053315)
+
+* Sun Feb 16 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-13
+- A different fix for #1023820 taken from Mageia
+- Backported fix for #997031
+- Hardward database updates, man pages improvements, a few small memory
+  leaks, utf-8 correctness and completion fixes
+- Support for key-slot option in crypttab
+
+* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 208-12
+- Own the %%{_prefix}/lib/kernel(/*) and %%{_datadir}/zsh(/*) dirs.
+
+* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-11
+- Backport a few fixes, relevant documentation updates, and HWDB changes
+  (#1051797, #1051768, #1047335, #1047304, #1047186, #1045849, #1043304,
+   #1043212, #1039351, #1031325, #1023820, #1017509, #953077)
+- Flip journalctl to --full by default (#984758)
+
+* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-9
+- Apply two patches for #1026860
+
+* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-8
+- Bump release to stay ahead of f20
+
+* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-7
+- Backport patches (#1023041, #1036845, #1006386?)
+- HWDB update
+- Some small new features: nspawn --drop-capability=, running PID 1 under
+  valgrind, "yearly" and "annually" in calendar specifications
+- Some small documentation and logging updates
+
+* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-6
+- Bump release to stay ahead of f20
+
+* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-5
+- Use unit name in PrivateTmp= directories (#957439)
+- Update manual pages, completion scripts, and hardware database
+- Configurable Timeouts/Restarts default values
+- Support printing of timestamps on the console
+- Fix some corner cases in detecting when writing to the console is safe
+- Python API: convert keyword values to string, fix sd_is_booted() wrapper
+- Do not tread missing /sbin/fsck.btrfs as an error (#1015467)
+- Allow masking of fsck units
+- Advertise hibernation to swap files
+- Fix SO_REUSEPORT settings
+- Prefer converted xkb keymaps to legacy keymaps (#981805, #1026872)
+- Make use of newer kmod
+- Assorted bugfixes: #1017161, #967521, #988883, #1027478, #821723, #1014303
+
+* Tue Oct 22 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-4
+- Add temporary fix for #1002806
+
+* Mon Oct 21 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 208-3
+- Backport a bunch of fixes and hwdb updates
+
+* Wed Oct 2 2013 Lennart Poettering <lpoetter@redhat.com> - 208-2
+- Move old random seed and backlight files into the right place
+
+* Wed Oct 2 2013 Lennart Poettering <lpoetter@redhat.com> - 208-1
+- New upstream release
+
+* Thu Sep 26 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 207-5
+- Do not create /var/var/... dirs
+
+* Wed Sep 18 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 207-4
+- Fix policykit authentication
+- Resolves: rhbz#1006680
+
+* Tue Sep 17 2013 Harald Hoyer <harald@redhat.com> 207-3
+- fixed login
+- Resolves: rhbz#1005233
+
+* Mon Sep 16 2013 Harald Hoyer <harald@redhat.com> 207-2
+- add some upstream fixes for 207
+- fixed swap activation
+- Resolves: rhbz#1008604
+
+* Fri Sep 13 2013 Lennart Poettering <lpoetter@redhat.com> - 207-1
+- New upstream release
+
+* Fri Sep 06 2013 Harald Hoyer <harald@redhat.com> 206-11
+- support "debug" kernel command line parameter
+- journald: fix fd leak in journal_file_empty
+- journald: fix vacuuming of archived journals
+- libudev: enumerate - do not try to match against an empty subsystem
+- cgtop: fixup the online help
+- libudev: fix memleak when enumerating childs
+
+* Wed Sep 04 2013 Harald Hoyer <harald@redhat.com> 206-10
+- Do not require grubby, lorax now takes care of grubby
+- cherry-picked a lot of patches from upstream
+
+* Tue Aug 27 2013 Dennis Gilmore <dennis@ausil.us> - 206-9
+- Require grubby, Fedora installs require grubby,
+- kernel-install took over from new-kernel-pkg
+- without the Requires we are unable to compose Fedora
+- everyone else says that since kernel-install took over
+- it is responsible for ensuring that grubby is in place
+- this is really what we want for Fedora
+
+* Tue Aug 27 2013 Kay Sievers <kay@redhat.com> - 206-8
+- Revert "Require grubby its needed by kernel-install"
+
+* Mon Aug 26 2013 Dennis Gilmore <dennis@ausil.us> 206-7
+- Require grubby its needed by kernel-install
+
+* Thu Aug 22 2013 Harald Hoyer <harald@redhat.com> 206-6
+- kernel-install now understands kernel flavors like PAE
+
+* Tue Aug 20 2013 Rex Dieter <rdieter@fedoraproject.org> - 206-5
+- add sddm.service to preset file (#998978)
+
+* Fri Aug 16 2013 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 206-4
+- Filter out provides for private python modules.
+- Add requires on kmod >= 14 (#990994).
+
+* Sun Aug 11 2013 Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - 206-3
+- New systemd-python3 package (#976427).
+- Add ownership of a few directories that we create (#894202).
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 206-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jul 23 2013 Kay Sievers <kay@redhat.com> - 206-1
+- New upstream release
+  Resolves (#984152)
+
+* Wed Jul  3 2013 Lennart Poettering <lpoetter@redhat.com> - 205-1
+- New upstream release
+
+* Wed Jun 26 2013 Michal Schmidt <mschmidt@redhat.com> 204-10
+- Split systemd-journal-gateway subpackage (#908081).
+
+* Mon Jun 24 2013 Michal Schmidt <mschmidt@redhat.com> 204-9
+- Rename nm_dispatcher to NetworkManager-dispatcher in default preset (#977433)
+
+* Fri Jun 14 2013 Harald Hoyer <harald@redhat.com> 204-8
+- fix, which helps to sucessfully browse journals with
+  duplicated seqnums
+
+* Fri Jun 14 2013 Harald Hoyer <harald@redhat.com> 204-7
+- fix duplicate message ID bug
+Resolves: rhbz#974132
+
+* Thu Jun 06 2013 Harald Hoyer <harald@redhat.com> 204-6
+- introduce 99-default-disable.preset
+
+* Thu Jun  6 2013 Lennart Poettering <lpoetter@redhat.com> - 204-5
+- Rename 90-display-manager.preset to 85-display-manager.preset so that it actually takes precedence over 90-default.preset's "disable *" line (#903690)
+
+* Tue May 28 2013 Harald Hoyer <harald@redhat.com> 204-4
+- Fix kernel-install (#965897)
+
+* Wed May 22 2013 Kay Sievers <kay@redhat.com> - 204-3
+- Fix kernel-install (#965897)
+
+* Thu May  9 2013 Lennart Poettering <lpoetter@redhat.com> - 204-2
+- New upstream release
+- disable isdn by default (#959793)
+
+* Tue May 07 2013 Harald Hoyer <harald@redhat.com> 203-2
+- forward port kernel-install-grubby.patch
+
+* Tue May  7 2013 Lennart Poettering <lpoetter@redhat.com> - 203-1
+- New upstream release
+
+* Wed Apr 24 2013 Harald Hoyer <harald@redhat.com> 202-3
+- fix ENOENT for getaddrinfo
+- Resolves: rhbz#954012 rhbz#956035
+- crypt-setup-generator: correctly check return of strdup
+- logind-dbus: initialize result variable
+- prevent library underlinking
+
+* Fri Apr 19 2013 Harald Hoyer <harald@redhat.com> 202-2
+- nspawn create empty /etc/resolv.conf if necessary
+- python wrapper: add sd_journal_add_conjunction()
+- fix s390 booting
+- Resolves: rhbz#953217
+
+* Thu Apr 18 2013 Lennart Poettering <lpoetter@redhat.com> - 202-1
+- New upstream release
+
+* Tue Apr 09 2013 Michal Schmidt <mschmidt@redhat.com> - 201-2
+- Automatically discover whether to run autoreconf and add autotools and git
+  BuildRequires based on the presence of patches to be applied.
+- Use find -delete.
+
+* Mon Apr  8 2013 Lennart Poettering <lpoetter@redhat.com> - 201-1
+- New upstream release
+
+* Mon Apr  8 2013 Lennart Poettering <lpoetter@redhat.com> - 200-4
+- Update preset file
+
+* Fri Mar 29 2013 Lennart Poettering <lpoetter@redhat.com> - 200-3
+- Remove NetworkManager-wait-online.service from presets file again, it should default to off
+
+* Fri Mar 29 2013 Lennart Poettering <lpoetter@redhat.com> - 200-2
+- New upstream release
+
+* Tue Mar 26 2013 Lennart Poettering <lpoetter@redhat.com> - 199-2
+- Add NetworkManager-wait-online.service to the presets file
+
+* Tue Mar 26 2013 Lennart Poettering <lpoetter@redhat.com> - 199-1
+- New upstream release
+
+* Mon Mar 18 2013 Michal Schmidt <mschmidt@redhat.com> 198-7
+- Drop /usr/s?bin/ prefixes.
+
+* Fri Mar 15 2013 Harald Hoyer <harald@redhat.com> 198-6
+- run autogen to pickup all changes
+
+* Fri Mar 15 2013 Harald Hoyer <harald@redhat.com> 198-5
+- do not mount anything, when not running as pid 1
+- add initrd.target for systemd in the initrd
+
+* Wed Mar 13 2013 Harald Hoyer <harald@redhat.com> 198-4
+- fix switch-root and local-fs.target problem
+- patch kernel-install to use grubby, if available
+
+* Fri Mar 08 2013 Harald Hoyer <harald@redhat.com> 198-3
+- add Conflict with dracut < 026 because of the new switch-root isolate
+
+* Thu Mar  7 2013 Lennart Poettering <lpoetter@redhat.com> - 198-2
+- Create required users
+
+* Thu Mar 7 2013 Lennart Poettering <lpoetter@redhat.com> - 198-1
+- New release
+- Enable journal persistancy by default
+
+* Sun Feb 10 2013 Peter Robinson <pbrobinson@fedoraproject.org> 197-3
+- Bump for ARM
+
+* Fri Jan 18 2013 Michal Schmidt <mschmidt@redhat.com> - 197-2
+- Added qemu-guest-agent.service to presets (Lennart, #885406).
+- Add missing pygobject3-base to systemd-analyze deps (Lennart).
+- Do not require hwdata, it is all in the hwdb now (Kay).
+- Drop dependency on dbus-python.
+
+* Tue Jan  8 2013 Lennart Poettering <lpoetter@redhat.com> - 197-1
+- New upstream release
+
+* Mon Dec 10 2012 Michal Schmidt <mschmidt@redhat.com> - 196-4
+- Enable rngd.service by default (#857765).
+
+* Mon Dec 10 2012 Michal Schmidt <mschmidt@redhat.com> - 196-3
+- Disable hardening on s390(x) because PIE is broken there and produces
+  text relocations with __thread (#868839).
+
+* Wed Dec 05 2012 Michal Schmidt <mschmidt@redhat.com> - 196-2
+- added spice-vdagentd.service to presets (Lennart, #876237)
+- BR cryptsetup-devel instead of the legacy cryptsetup-luks-devel provide name
+  (requested by Milan Brož).
+- verbose make to see the actual build flags
+
+* Wed Nov 21 2012 Lennart Poettering <lpoetter@redhat.com> - 196-1
+- New upstream release
+
+* Tue Nov 20 2012 Lennart Poettering <lpoetter@redhat.com> - 195-8
+- https://bugzilla.redhat.com/show_bug.cgi?id=873459
+- https://bugzilla.redhat.com/show_bug.cgi?id=878093
+
+* Thu Nov 15 2012 Michal Schmidt <mschmidt@redhat.com> - 195-7
+- Revert udev killing cgroup patch for F18 Beta.
+- https://bugzilla.redhat.com/show_bug.cgi?id=873576
+
+* Fri Nov 09 2012 Michal Schmidt <mschmidt@redhat.com> - 195-6
+- Fix cyclical dep between systemd and systemd-libs.
+- Avoid broken build of test-journal-syslog.
+- https://bugzilla.redhat.com/show_bug.cgi?id=873387
+- https://bugzilla.redhat.com/show_bug.cgi?id=872638
+
+* Thu Oct 25 2012 Kay Sievers <kay@redhat.com> - 195-5
+- require 'sed', limit HOSTNAME= match
+
+* Wed Oct 24 2012 Michal Schmidt <mschmidt@redhat.com> - 195-4
+- add dmraid-activation.service to the default preset
+- add yum protected.d fragment
+- https://bugzilla.redhat.com/show_bug.cgi?id=869619
+- https://bugzilla.redhat.com/show_bug.cgi?id=869717
+
+* Wed Oct 24 2012 Kay Sievers <kay@redhat.com> - 195-3
+- Migrate /etc/sysconfig/ i18n, keyboard, network files/variables to
+  systemd native files
+
+* Tue Oct 23 2012 Lennart Poettering <lpoetter@redhat.com> - 195-2
+- Provide syslog because the journal is fine as a syslog implementation
+
+* Tue Oct 23 2012 Lennart Poettering <lpoetter@redhat.com> - 195-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=831665
+- https://bugzilla.redhat.com/show_bug.cgi?id=847720
+- https://bugzilla.redhat.com/show_bug.cgi?id=858693
+- https://bugzilla.redhat.com/show_bug.cgi?id=863481
+- https://bugzilla.redhat.com/show_bug.cgi?id=864629
+- https://bugzilla.redhat.com/show_bug.cgi?id=864672
+- https://bugzilla.redhat.com/show_bug.cgi?id=864674
+- https://bugzilla.redhat.com/show_bug.cgi?id=865128
+- https://bugzilla.redhat.com/show_bug.cgi?id=866346
+- https://bugzilla.redhat.com/show_bug.cgi?id=867407
+- https://bugzilla.redhat.com/show_bug.cgi?id=868603
+
+* Wed Oct 10 2012 Michal Schmidt <mschmidt@redhat.com> - 194-2
+- Add scriptlets for migration away from systemd-timedated-ntp.target
+
+* Wed Oct  3 2012 Lennart Poettering <lpoetter@redhat.com> - 194-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=859614
+- https://bugzilla.redhat.com/show_bug.cgi?id=859655
+
+* Fri Sep 28 2012 Lennart Poettering <lpoetter@redhat.com> - 193-1
+- New upstream release
+
+* Tue Sep 25 2012 Lennart Poettering <lpoetter@redhat.com> - 192-1
+- New upstream release
+
+* Fri Sep 21 2012 Lennart Poettering <lpoetter@redhat.com> - 191-2
+- Fix journal mmap header prototype definition to fix compilation on 32bit
+
+* Fri Sep 21 2012 Lennart Poettering <lpoetter@redhat.com> - 191-1
+- New upstream release
+- Enable all display managers by default, as discussed with Adam Williamson
+
+* Thu Sep 20 2012 Lennart Poettering <lpoetter@redhat.com> - 190-1
+- New upstream release
+- Take possession of /etc/localtime, and remove /etc/sysconfig/clock
+- https://bugzilla.redhat.com/show_bug.cgi?id=858780
+- https://bugzilla.redhat.com/show_bug.cgi?id=858787
+- https://bugzilla.redhat.com/show_bug.cgi?id=858771
+- https://bugzilla.redhat.com/show_bug.cgi?id=858754
+- https://bugzilla.redhat.com/show_bug.cgi?id=858746
+- https://bugzilla.redhat.com/show_bug.cgi?id=858266
+- https://bugzilla.redhat.com/show_bug.cgi?id=858224
+- https://bugzilla.redhat.com/show_bug.cgi?id=857670
+- https://bugzilla.redhat.com/show_bug.cgi?id=856975
+- https://bugzilla.redhat.com/show_bug.cgi?id=855863
+- https://bugzilla.redhat.com/show_bug.cgi?id=851970
+- https://bugzilla.redhat.com/show_bug.cgi?id=851275
+- https://bugzilla.redhat.com/show_bug.cgi?id=851131
+- https://bugzilla.redhat.com/show_bug.cgi?id=847472
+- https://bugzilla.redhat.com/show_bug.cgi?id=847207
+- https://bugzilla.redhat.com/show_bug.cgi?id=846483
+- https://bugzilla.redhat.com/show_bug.cgi?id=846085
+- https://bugzilla.redhat.com/show_bug.cgi?id=845973
+- https://bugzilla.redhat.com/show_bug.cgi?id=845194
+- https://bugzilla.redhat.com/show_bug.cgi?id=845028
+- https://bugzilla.redhat.com/show_bug.cgi?id=844630
+- https://bugzilla.redhat.com/show_bug.cgi?id=839736
+- https://bugzilla.redhat.com/show_bug.cgi?id=835848
+- https://bugzilla.redhat.com/show_bug.cgi?id=831740
+- https://bugzilla.redhat.com/show_bug.cgi?id=823485
+- https://bugzilla.redhat.com/show_bug.cgi?id=821813
+- https://bugzilla.redhat.com/show_bug.cgi?id=807886
+- https://bugzilla.redhat.com/show_bug.cgi?id=802198
+- https://bugzilla.redhat.com/show_bug.cgi?id=767795
+- https://bugzilla.redhat.com/show_bug.cgi?id=767561
+- https://bugzilla.redhat.com/show_bug.cgi?id=752774
+- https://bugzilla.redhat.com/show_bug.cgi?id=732874
+- https://bugzilla.redhat.com/show_bug.cgi?id=858735
+
+* Thu Sep 13 2012 Lennart Poettering <lpoetter@redhat.com> - 189-4
+- Don't pull in pkg-config as dep
+- https://bugzilla.redhat.com/show_bug.cgi?id=852828
+
+* Wed Sep 12 2012 Lennart Poettering <lpoetter@redhat.com> - 189-3
+- Update preset policy
+- Rename preset policy file from 99-default.preset to 90-default.preset so that people can order their own stuff after the Fedora default policy if they wish
+
+* Thu Aug 23 2012 Lennart Poettering <lpoetter@redhat.com> - 189-2
+- Update preset policy
+- https://bugzilla.redhat.com/show_bug.cgi?id=850814
+
+* Thu Aug 23 2012 Lennart Poettering <lpoetter@redhat.com> - 189-1
+- New upstream release
+
+* Thu Aug 16 2012 Ray Strode <rstrode@redhat.com> 188-4
+- more scriptlet fixes
+  (move dm migration logic to %%posttrans so the service
+   files it's looking for are available at the time
+   the logic is run)
+
+* Sat Aug 11 2012 Lennart Poettering <lpoetter@redhat.com> - 188-3
+- Remount file systems MS_PRIVATE before switching roots
+- https://bugzilla.redhat.com/show_bug.cgi?id=847418
+
+* Wed Aug 08 2012 Rex Dieter <rdieter@fedoraproject.org> - 188-2
+- fix scriptlets
+
+* Wed Aug  8 2012 Lennart Poettering <lpoetter@redhat.com> - 188-1
+- New upstream release
+- Enable gdm and avahi by default via the preset file
+- Convert /etc/sysconfig/desktop to display-manager.service symlink
+- Enable hardened build
+
+* Mon Jul 30 2012 Kay Sievers <kay@redhat.com> - 187-3
+- Obsolete: system-setup-keyboard
+
+* Wed Jul 25 2012 Kalev Lember <kalevlember@gmail.com> - 187-2
+- Run ldconfig for the new -libs subpackage
+
+* Thu Jul 19 2012 Lennart Poettering <lpoetter@redhat.com> - 187-1
+- New upstream release
+
+* Mon Jul 09 2012 Harald Hoyer <harald@redhat.com> 186-2
+- fixed dracut conflict version
+
+* Tue Jul  3 2012 Lennart Poettering <lpoetter@redhat.com> - 186-1
+- New upstream release
+
+* Fri Jun 22 2012 Nils Philippsen <nils@redhat.com> - 185-7.gite7aee75
+- add obsoletes/conflicts so multilib systemd -> systemd-libs updates work
+
+* Thu Jun 14 2012 Michal Schmidt <mschmidt@redhat.com> - 185-6.gite7aee75
+- Update to current git
+
+* Wed Jun 06 2012 Kay Sievers - 185-5.gita2368a3
+- disable plymouth in configure, to drop the .wants/ symlinks
+
+* Wed Jun 06 2012 Michal Schmidt <mschmidt@redhat.com> - 185-4.gita2368a3
+- Update to current git snapshot
+  - Add systemd-readahead-analyze
+  - Drop upstream patch
+- Split systemd-libs
+- Drop duplicate doc files
+- Fixed License headers of subpackages
+
+* Wed Jun 06 2012 Ray Strode <rstrode@redhat.com> - 185-3
+- Drop plymouth files
+- Conflict with old plymouth
+
+* Tue Jun 05 2012 Kay Sievers - 185-2
+- selinux udev labeling fix
+- conflict with older dracut versions for new udev file names
+
+* Mon Jun 04 2012 Kay Sievers - 185-1
+- New upstream release
+  - udev selinux labeling fixes
+  - new man pages
+  - systemctl help <unit name>
+
+* Thu May 31 2012 Lennart Poettering <lpoetter@redhat.com> - 184-1
+- New upstream release
+
+* Thu May 24 2012 Kay Sievers <kay@redhat.com> - 183-1
+- New upstream release including udev merge.
+
+* Wed Mar 28 2012 Michal Schmidt <mschmidt@redhat.com> - 44-4
+- Add triggers from Bill Nottingham to correct the damage done by
+  the obsoleted systemd-units's preun scriptlet (#807457).
+
+* Mon Mar 26 2012 Dennis Gilmore <dennis@ausil.us> - 44-3
+- apply patch from upstream so we can build systemd on arm and ppc
+- and likely the rest of the secondary arches
+
+* Tue Mar 20 2012 Michal Schmidt <mschmidt@redhat.com> - 44-2
+- Don't build the gtk parts anymore. They're moving into systemd-ui.
+- Remove a dead patch file.
+
+* Fri Mar 16 2012 Lennart Poettering <lpoetter@redhat.com> - 44-1
+- New upstream release
+- Closes #798760, #784921, #783134, #768523, #781735
+
+* Mon Feb 27 2012 Dennis Gilmore <dennis@ausil.us> - 43-2
+- don't conflict with fedora-release systemd never actually provided
+- /etc/os-release so there is no actual conflict
+
+* Wed Feb 15 2012 Lennart Poettering <lpoetter@redhat.com> - 43-1
+- New upstream release
+- Closes #789758, #790260, #790522
+
+* Sat Feb 11 2012 Lennart Poettering <lpoetter@redhat.com> - 42-1
+- New upstream release
+- Save a bit of entropy during system installation (#789407)
+- Don't own /etc/os-release anymore, leave that to fedora-release
+
+* Thu Feb  9 2012 Adam Williamson <awilliam@redhat.com> - 41-2
+- rebuild for fixed binutils
+
+* Thu Feb  9 2012 Lennart Poettering <lpoetter@redhat.com> - 41-1
+- New upstream release
+
+* Tue Feb  7 2012 Lennart Poettering <lpoetter@redhat.com> - 40-1
+- New upstream release
+
+* Thu Jan 26 2012 Kay Sievers <kay@redhat.com> - 39-3
+- provide /sbin/shutdown
+
+* Wed Jan 25 2012 Harald Hoyer <harald@redhat.com> 39-2
+- increment release
+
+* Wed Jan 25 2012 Kay Sievers <kay@redhat.com> - 39-1.1
+- install everything in /usr
+  https://fedoraproject.org/wiki/Features/UsrMove
+
+* Wed Jan 25 2012 Lennart Poettering <lpoetter@redhat.com> - 39-1
+- New upstream release
+
+* Sun Jan 22 2012 Michal Schmidt <mschmidt@redhat.com> - 38-6.git9fa2f41
+- Update to a current git snapshot.
+- Resolves: #781657
+
+* Sun Jan 22 2012 Michal Schmidt <mschmidt@redhat.com> - 38-5
+- Build against libgee06. Reenable gtk tools.
+- Delete unused patches.
+- Add easy building of git snapshots.
+- Remove legacy spec file elements.
+- Don't mention implicit BuildRequires.
+- Configure with --disable-static.
+- Merge -units into the main package.
+- Move section 3 manpages to -devel.
+- Fix unowned directory.
+- Run ldconfig in scriptlets.
+- Split systemd-analyze to a subpackage.
+
+* Sat Jan 21 2012 Dan Horák <dan[at]danny.cz> - 38-4
+- fix build on big-endians
+
+* Wed Jan 11 2012 Lennart Poettering <lpoetter@redhat.com> - 38-3
+- Disable building of gtk tools for now
+
+* Wed Jan 11 2012 Lennart Poettering <lpoetter@redhat.com> - 38-2
+- Fix a few (build) dependencies
+
+* Wed Jan 11 2012 Lennart Poettering <lpoetter@redhat.com> - 38-1
+- New upstream release
+
+* Tue Nov 15 2011 Michal Schmidt <mschmidt@redhat.com> - 37-4
+- Run authconfig if /etc/pam.d/system-auth is not a symlink.
+- Resolves: #753160
+
+* Wed Nov 02 2011 Michal Schmidt <mschmidt@redhat.com> - 37-3
+- Fix remote-fs-pre.target and its ordering.
+- Resolves: #749940
+
+* Wed Oct 19 2011 Michal Schmidt <mschmidt@redhat.com> - 37-2
+- A couple of fixes from upstream:
+- Fix a regression in bash-completion reported in Bodhi.
+- Fix a crash in isolating.
+- Resolves: #717325
+
+* Tue Oct 11 2011 Lennart Poettering <lpoetter@redhat.com> - 37-1
+- New upstream release
+- Resolves: #744726, #718464, #713567, #713707, #736756
+
+* Thu Sep 29 2011 Michal Schmidt <mschmidt@redhat.com> - 36-5
+- Undo the workaround. Kay says it does not belong in systemd.
+- Unresolves: #741655
+
+* Thu Sep 29 2011 Michal Schmidt <mschmidt@redhat.com> - 36-4
+- Workaround for the crypto-on-lvm-on-crypto disk layout
+- Resolves: #741655
+
+* Sun Sep 25 2011 Michal Schmidt <mschmidt@redhat.com> - 36-3
+- Revert an upstream patch that caused ordering cycles
+- Resolves: #741078
+
+* Fri Sep 23 2011 Lennart Poettering <lpoetter@redhat.com> - 36-2
+- Add /etc/timezone to ghosted files
+
+* Fri Sep 23 2011 Lennart Poettering <lpoetter@redhat.com> - 36-1
+- New upstream release
+- Resolves: #735013, #736360, #737047, #737509, #710487, #713384
+
+* Thu Sep  1 2011 Lennart Poettering <lpoetter@redhat.com> - 35-1
+- New upstream release
+- Update post scripts
+- Resolves: #726683, #713384, #698198, #722803, #727315, #729997, #733706, #734611
+
+* Thu Aug 25 2011 Lennart Poettering <lpoetter@redhat.com> - 34-1
+- New upstream release
+
+* Fri Aug 19 2011 Harald Hoyer <harald@redhat.com> 33-2
+- fix ABRT on service file reloading
+- Resolves: rhbz#732020
+
+* Wed Aug  3 2011 Lennart Poettering <lpoetter@redhat.com> - 33-1
+- New upstream release
+
+* Fri Jul 29 2011 Lennart Poettering <lpoetter@redhat.com> - 32-1
+- New upstream release
+
+* Wed Jul 27 2011 Lennart Poettering <lpoetter@redhat.com> - 31-2
+- Fix access mode of modprobe file, restart logind after upgrade
+
+* Wed Jul 27 2011 Lennart Poettering <lpoetter@redhat.com> - 31-1
+- New upstream release
+
+* Wed Jul 13 2011 Lennart Poettering <lpoetter@redhat.com> - 30-1
+- New upstream release
+
+* Thu Jun 16 2011 Lennart Poettering <lpoetter@redhat.com> - 29-1
+- New upstream release
+
+* Mon Jun 13 2011 Michal Schmidt <mschmidt@redhat.com> - 28-4
+- Apply patches from current upstream.
+- Fixes memory size detection on 32-bit with >4GB RAM (BZ712341)
+
+* Wed Jun 08 2011 Michal Schmidt <mschmidt@redhat.com> - 28-3
+- Apply patches from current upstream
+- https://bugzilla.redhat.com/show_bug.cgi?id=709909
+- https://bugzilla.redhat.com/show_bug.cgi?id=710839
+- https://bugzilla.redhat.com/show_bug.cgi?id=711015
+
+* Sat May 28 2011 Lennart Poettering <lpoetter@redhat.com> - 28-2
+- Pull in nss-myhostname
+
+* Thu May 26 2011 Lennart Poettering <lpoetter@redhat.com> - 28-1
+- New upstream release
+
+* Wed May 25 2011 Lennart Poettering <lpoetter@redhat.com> - 26-2
+- Bugfix release
+- https://bugzilla.redhat.com/show_bug.cgi?id=707507
+- https://bugzilla.redhat.com/show_bug.cgi?id=707483
+- https://bugzilla.redhat.com/show_bug.cgi?id=705427
+- https://bugzilla.redhat.com/show_bug.cgi?id=707577
+
+* Sat Apr 30 2011 Lennart Poettering <lpoetter@redhat.com> - 26-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=699394
+- https://bugzilla.redhat.com/show_bug.cgi?id=698198
+- https://bugzilla.redhat.com/show_bug.cgi?id=698674
+- https://bugzilla.redhat.com/show_bug.cgi?id=699114
+- https://bugzilla.redhat.com/show_bug.cgi?id=699128
+
+* Thu Apr 21 2011 Lennart Poettering <lpoetter@redhat.com> - 25-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=694788
+- https://bugzilla.redhat.com/show_bug.cgi?id=694321
+- https://bugzilla.redhat.com/show_bug.cgi?id=690253
+- https://bugzilla.redhat.com/show_bug.cgi?id=688661
+- https://bugzilla.redhat.com/show_bug.cgi?id=682662
+- https://bugzilla.redhat.com/show_bug.cgi?id=678555
+- https://bugzilla.redhat.com/show_bug.cgi?id=628004
+
+* Wed Apr  6 2011 Lennart Poettering <lpoetter@redhat.com> - 24-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=694079
+- https://bugzilla.redhat.com/show_bug.cgi?id=693289
+- https://bugzilla.redhat.com/show_bug.cgi?id=693274
+- https://bugzilla.redhat.com/show_bug.cgi?id=693161
+
+* Tue Apr  5 2011 Lennart Poettering <lpoetter@redhat.com> - 23-1
+- New upstream release
+- Include systemd-sysv-convert
+
+* Fri Apr  1 2011 Lennart Poettering <lpoetter@redhat.com> - 22-1
+- New upstream release
+
+* Wed Mar 30 2011 Lennart Poettering <lpoetter@redhat.com> - 21-2
+- The quota services are now pulled in by mount points, hence no need to enable them explicitly
+
+* Tue Mar 29 2011 Lennart Poettering <lpoetter@redhat.com> - 21-1
+- New upstream release
+
+* Mon Mar 28 2011 Matthias Clasen <mclasen@redhat.com> - 20-2
+- Apply upstream patch to not send untranslated messages to plymouth
+
+* Tue Mar  8 2011 Lennart Poettering <lpoetter@redhat.com> - 20-1
+- New upstream release
+
+* Tue Mar  1 2011 Lennart Poettering <lpoetter@redhat.com> - 19-1
+- New upstream release
+
+* Wed Feb 16 2011 Lennart Poettering <lpoetter@redhat.com> - 18-1
+- New upstream release
+
+* Mon Feb 14 2011 Bill Nottingham <notting@redhat.com> - 17-6
+- bump upstart obsoletes (#676815)
+
+* Wed Feb  9 2011 Tom Callaway <spot@fedoraproject.org> - 17-5
+- add macros.systemd file for %%{_unitdir}
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 17-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Feb  9 2011 Lennart Poettering <lpoetter@redhat.com> - 17-3
+- Fix popen() of systemctl, #674916
+
+* Mon Feb  7 2011 Bill Nottingham <notting@redhat.com> - 17-2
+- add epoch to readahead obsolete
+
+* Sat Jan 22 2011 Lennart Poettering <lpoetter@redhat.com> - 17-1
+- New upstream release
+
+* Tue Jan 18 2011 Lennart Poettering <lpoetter@redhat.com> - 16-2
+- Drop console.conf again, since it is not shipped in pamtmp.conf
+
+* Sat Jan  8 2011 Lennart Poettering <lpoetter@redhat.com> - 16-1
+- New upstream release
+
+* Thu Nov 25 2010 Lennart Poettering <lpoetter@redhat.com> - 15-1
+- New upstream release
+
+* Thu Nov 25 2010 Lennart Poettering <lpoetter@redhat.com> - 14-1
+- Upstream update
+- Enable hwclock-load by default
+- Obsolete readahead
+- Enable /var/run and /var/lock on tmpfs
+
+* Fri Nov 19 2010 Lennart Poettering <lpoetter@redhat.com> - 13-1
+- new upstream release
+
+* Wed Nov 17 2010 Bill Nottingham <notting@redhat.com> 12-3
+- Fix clash
+
+* Wed Nov 17 2010 Lennart Poettering <lpoetter@redhat.com> - 12-2
+- Don't clash with initscripts for now, so that we don't break the builders
+
+* Wed Nov 17 2010 Lennart Poettering <lpoetter@redhat.com> - 12-1
+- New upstream release
+
+* Fri Nov 12 2010 Matthias Clasen <mclasen@redhat.com> - 11-2
+- Rebuild with newer vala, libnotify
+
+* Thu Oct  7 2010 Lennart Poettering <lpoetter@redhat.com> - 11-1
+- New upstream release
+
+* Wed Sep 29 2010 Jesse Keating <jkeating@redhat.com> - 10-6
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 23 2010 Bill Nottingham <notting@redhat.com> - 10-5
+- merge -sysvinit into main package
+
+* Mon Sep 20 2010 Bill Nottingham <notting@redhat.com> - 10-4
+- obsolete upstart-sysvinit too
+
+* Fri Sep 17 2010 Bill Nottingham <notting@redhat.com> - 10-3
+- Drop upstart requires
+
+* Tue Sep 14 2010 Lennart Poettering <lpoetter@redhat.com> - 10-2
+- Enable audit
+- https://bugzilla.redhat.com/show_bug.cgi?id=633771
+
+* Tue Sep 14 2010 Lennart Poettering <lpoetter@redhat.com> - 10-1
+- New upstream release
+- https://bugzilla.redhat.com/show_bug.cgi?id=630401
+- https://bugzilla.redhat.com/show_bug.cgi?id=630225
+- https://bugzilla.redhat.com/show_bug.cgi?id=626966
+- https://bugzilla.redhat.com/show_bug.cgi?id=623456
+
+* Fri Sep  3 2010 Bill Nottingham <notting@redhat.com> - 9-3
+- move fedora-specific units to initscripts; require newer version thereof
+
+* Fri Sep  3 2010 Lennart Poettering <lpoetter@redhat.com> - 9-2
+- Add missing tarball
+
+* Fri Sep  3 2010 Lennart Poettering <lpoetter@redhat.com> - 9-1
+- New upstream version
+- Closes 501720, 614619, 621290, 626443, 626477, 627014, 627785, 628913
+
+* Fri Aug 27 2010 Lennart Poettering <lpoetter@redhat.com> - 8-3
+- Reexecute after installation, take ownership of /var/run/user
+- https://bugzilla.redhat.com/show_bug.cgi?id=627457
+- https://bugzilla.redhat.com/show_bug.cgi?id=627634
+
+* Thu Aug 26 2010 Lennart Poettering <lpoetter@redhat.com> - 8-2
+- Properly create default.target link
+
+* Wed Aug 25 2010 Lennart Poettering <lpoetter@redhat.com> - 8-1
+- New upstream release
+
+* Thu Aug 12 2010 Lennart Poettering <lpoetter@redhat.com> - 7-3
+- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623561
+
+* Thu Aug 12 2010 Lennart Poettering <lpoetter@redhat.com> - 7-2
+- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623430
+
+* Tue Aug 10 2010 Lennart Poettering <lpoetter@redhat.com> - 7-1
+- New upstream release
+
+* Fri Aug  6 2010 Lennart Poettering <lpoetter@redhat.com> - 6-2
+- properly hide output on package installation
+- pull in coreutils during package installtion
+
+* Fri Aug  6 2010 Lennart Poettering <lpoetter@redhat.com> - 6-1
+- New upstream release
+- Fixes #621200
+
+* Wed Aug  4 2010 Lennart Poettering <lpoetter@redhat.com> - 5-2
+- Add tarball
+
+* Wed Aug  4 2010 Lennart Poettering <lpoetter@redhat.com> - 5-1
+- Prepare release 5
+
+* Tue Jul 27 2010 Bill Nottingham <notting@redhat.com> - 4-4
+- Add 'sysvinit-userspace' provide to -sysvinit package to fix upgrade/install (#618537)
+
+* Sat Jul 24 2010 Lennart Poettering <lpoetter@redhat.com> - 4-3
+- Add libselinux to build dependencies
+
+* Sat Jul 24 2010 Lennart Poettering <lpoetter@redhat.com> - 4-2
+- Use the right tarball
+
+* Sat Jul 24 2010 Lennart Poettering <lpoetter@redhat.com> - 4-1
+- New upstream release, and make default
+
+* Tue Jul 13 2010 Lennart Poettering <lpoetter@redhat.com> - 3-3
+- Used wrong tarball
+
+* Tue Jul 13 2010 Lennart Poettering <lpoetter@redhat.com> - 3-2
+- Own /cgroup jointly with libcgroup, since we don't dpend on it anymore
+
+* Tue Jul 13 2010 Lennart Poettering <lpoetter@redhat.com> - 3-1
+- New upstream release
+
+* Fri Jul 9 2010 Lennart Poettering <lpoetter@redhat.com> - 2-0
+- New upstream release
+
+* Wed Jul 7 2010 Lennart Poettering <lpoetter@redhat.com> - 1-0
+- First upstream release
+
+* Tue Jun 29 2010 Lennart Poettering <lpoetter@redhat.com> - 0-0.7.20100629git4176e5
+- New snapshot
+- Split off -units package where other packages can depend on without pulling in the whole of systemd
+
+* Tue Jun 22 2010 Lennart Poettering <lpoetter@redhat.com> - 0-0.6.20100622gita3723b
+- Add missing libtool dependency.
+
+* Tue Jun 22 2010 Lennart Poettering <lpoetter@redhat.com> - 0-0.5.20100622gita3723b
+- Update snapshot
+
+* Mon Jun 14 2010 Rahul Sundaram <sundaram@fedoraproject.org> - 0-0.4.20100614git393024
+- Pull the latest snapshot that fixes a segfault. Resolves rhbz#603231
+
+* Fri Jun 11 2010 Rahul Sundaram <sundaram@fedoraproject.org> - 0-0.3.20100610git2f198e
+- More minor fixes as per review
+
+* Thu Jun 10 2010 Rahul Sundaram <sundaram@fedoraproject.org> - 0-0.2.20100610git2f198e
+- Spec improvements from David Hollis
+
+* Wed Jun 09 2010 Rahul Sundaram <sundaram@fedoraproject.org> - 0-0.1.20090609git2f198e
+- Address review comments
+
+* Tue Jun 01 2010 Rahul Sundaram <sundaram@fedoraproject.org> - 0-0.0.git2010-06-02
+- Initial spec (adopted from Kay Sievers)