Ubuntu
systemd package

Merge ~enr0n/ubuntu/+source/systemd:ubuntu-kinetic into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-kinetic

Proposed by Nick Rosbrook on 2022-08-17

Status:	Merged
Merged at revision:	fb5fdc89d8514683e3c46b6e5267dce869495808
Proposed branch:	~enr0n/ubuntu/+source/systemd:ubuntu-kinetic
Merge into:	~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-kinetic
Diff against target:	7594 lines (+2925/-689) 205 files modified .gitignore (+1/-0) debian/changelog (+190/-5) debian/control (+110/-9) debian/extra/initramfs/post-update.d/systemd-boot (+11/-0) debian/extra/kernel/postinst.d/systemd-boot (+11/-0) debian/extra/kernel/postrm.d/systemd-boot (+11/-0) debian/extra/pam-configs/systemd-homed (+15/-0) debian/gitlab-ci.yml (+2/-0) debian/libnss-myhostname.install (+0/-2) debian/libnss-myhostname.manpages (+2/-0) debian/libnss-myhostname.nss (+1/-0) debian/libnss-mymachines.install (+0/-2) debian/libnss-mymachines.manpages (+2/-0) debian/libnss-mymachines.nss (+1/-0) debian/libnss-resolve.install (+0/-2) debian/libnss-resolve.lintian-overrides (+0/-1) debian/libnss-resolve.manpages (+2/-0) debian/libnss-resolve.nss (+1/-0) debian/libnss-systemd.install (+0/-2) debian/libnss-systemd.manpages (+2/-0) debian/libnss-systemd.nss (+4/-0) debian/libpam-systemd.install (+1/-2) debian/libpam-systemd.manpages (+1/-0) debian/libsystemd-dev.install (+0/-2) debian/libsystemd-dev.manpages (+2/-0) debian/libsystemd-shared.install (+2/-0) debian/libsystemd-shared.lintian-overrides (+2/-0) debian/libudev-dev.install (+0/-2) debian/libudev-dev.manpages (+2/-0) debian/patches/Move-homectl-and-userdbctl-to-bindir.patch (+35/-0) debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch (+4/-4) debian/patches/debian/Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch (+4/-4) debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch (+2/-2) debian/patches/debian/Use-Debian-specific-config-files.patch (+2/-2) debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch (+3/-3) debian/patches/meson-install-libsystemd-shared-into-rootpkglibdir.patch (+1218/-0) debian/patches/series (+4/-5) debian/patches/shellcheck-clean-kernel-install-again.patch (+46/-0) debian/patches/test-denylist-TEST-29-PORTABLE-again.patch (+18/-0) debian/rules (+54/-38) debian/shlibs.local.in (+2/-2) debian/systemd-boot-efi.install (+1/-0) debian/systemd-boot-efi.lintian-overrides (+6/-0) debian/systemd-boot-efi.manpages (+1/-0) debian/systemd-boot.install (+10/-0) debian/systemd-boot.lintian-overrides (+3/-0) debian/systemd-boot.manpages (+8/-0) debian/systemd-container.install (+0/-6) debian/systemd-container.manpages (+6/-0) debian/systemd-coredump.install (+0/-3) debian/systemd-coredump.manpages (+3/-0) debian/systemd-homed.install (+11/-0) debian/systemd-homed.lintian-overrides (+5/-0) debian/systemd-homed.manpages (+1/-0) debian/systemd-homed.postinst (+7/-0) debian/systemd-homed.prerm (+20/-0) debian/systemd-journal-remote.install (+0/-12) debian/systemd-journal-remote.manpages (+12/-0) debian/systemd-oomd.install (+0/-1) debian/systemd-oomd.manpages (+1/-0) debian/systemd-resolved.install (+13/-0) debian/systemd-resolved.links (+1/-0) debian/systemd-resolved.lintian-overrides (+3/-0) debian/systemd-resolved.manpages (+4/-0) debian/systemd-resolved.postinst (+28/-0) debian/systemd-standalone-sysusers.manpages (+1/-0) debian/systemd-standalone-tmpfiles.manpages (+1/-0) debian/systemd-sysv.install (+0/-7) debian/systemd-sysv.manpages (+7/-0) debian/systemd-timesyncd.install (+0/-1) debian/systemd-timesyncd.manpages (+1/-0) debian/systemd-userdbd.install (+5/-0) debian/systemd-userdbd.lintian-overrides (+3/-0) debian/systemd-userdbd.manpages (+1/-0) debian/systemd.NEWS (+21/-0) debian/systemd.install (+0/-5) debian/systemd.lintian-overrides (+0/-7) debian/systemd.maintscript (+1/-0) debian/systemd.manpages (+4/-0) debian/systemd.postinst (+1/-4) debian/tests/control (+4/-0) debian/udev.install (+0/-7) debian/udev.manpages (+7/-0) dev/null (+0/-33) hwdb.d/70-analyzers.hwdb (+0/-1) man/journalctl.xml (+1/-1) man/os-release.xml (+1/-1) man/pam_systemd_home.xml (+14/-5) man/sd_notify.xml (+9/-8) man/system-or-user-ns.xml (+2/-2) man/systemctl.xml (+41/-40) man/systemd-creds.xml (+1/-1) man/systemd-integritysetup-generator.xml (+1/-1) man/systemd-sysctl.service.xml (+1/-1) man/systemd.exec.xml (+34/-12) man/systemd.mount.xml (+7/-9) man/systemd.netdev.xml (+1/-1) man/systemd.network.xml (+6/-6) man/sysupdate.d.xml (+10/-10) man/udevadm.xml (+2/-1) meson.build (+15/-2) src/analyze/analyze-security.c (+22/-17) src/basic/fd-util.c (+2/-0) src/basic/gcrypt-util.c (+2/-0) src/basic/hashmap.c (+8/-5) src/basic/missing_fs.h (+5/-0) src/basic/set.h (+6/-3) src/basic/stat-util.c (+6/-14) src/basic/stat-util.h (+7/-2) src/basic/time-util.c (+1/-1) src/basic/unit-file.c (+1/-4) src/basic/virt.c (+12/-7) src/boot/efi/meson.build (+13/-0) src/boot/efi/xbootldr.c (+1/-1) src/cgroups-agent/cgroups-agent.c (+7/-0) src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c (+1/-1) src/core/dbus.c (+3/-1) src/core/import-creds.c (+4/-4) src/core/load-fragment.c (+46/-12) src/core/main.c (+10/-7) src/core/mount.c (+7/-5) src/core/namespace.c (+4/-1) src/core/scope.c (+1/-1) src/core/systemd.pc.in (+2/-0) src/coredump/coredump.c (+9/-2) src/dissect/dissect.c (+1/-0) src/fundamental/sha256.c (+1/-1) src/home/homed-home-bus.c (+2/-0) src/home/homework-cifs.c (+5/-0) src/home/homework-luks.c (+4/-8) src/home/homework-mount.c (+2/-0) src/home/homework.h (+2/-1) src/import/pull-common.h (+9/-9) src/integritysetup/integritysetup.c (+6/-6) src/journal-remote/microhttpd-util.c (+1/-1) src/kernel-install/kernel-install.in (+1/-1) src/libsystemd-network/dhcp6-option.c (+7/-7) src/libsystemd-network/sd-dhcp-lease.c (+1/-1) src/libsystemd-network/sd-dhcp6-lease.c (+22/-12) src/libsystemd-network/test-dhcp6-client.c (+42/-0) src/libsystemd/sd-bus/sd-bus.c (+1/-1) src/libsystemd/sd-device/device-internal.h (+1/-1) src/libsystemd/sd-device/device-monitor.c (+2/-2) src/libsystemd/sd-device/device-private.c (+33/-22) src/libsystemd/sd-device/device-private.h (+3/-3) src/libsystemd/sd-device/sd-device.c (+3/-0) src/libsystemd/sd-device/test-sd-device.c (+18/-4) src/libsystemd/sd-event/sd-event.c (+1/-1) src/libsystemd/sd-event/test-event.c (+52/-0) src/libsystemd/sd-id128/id128-util.c (+4/-4) src/libsystemd/sd-journal/journal-verify.c (+6/-1) src/libsystemd/sd-journal/sd-journal.c (+2/-0) src/locale/keymap-util.c (+1/-1) src/network/netdev/l2tp-tunnel.c (+1/-1) src/network/netdev/macsec.c (+0/-2) src/network/netdev/wireguard.c (+0/-2) src/network/networkctl.c (+1/-1) src/network/networkd-dhcp-common.c (+4/-7) src/network/networkd-dhcp4.c (+0/-5) src/network/networkd-dhcp6.c (+0/-5) src/network/networkd-link.c (+1/-1) src/network/networkd-ndisc.c (+5/-13) src/network/networkd-radv.c (+8/-3) src/nspawn/nspawn-settings.c (+5/-0) src/nspawn/nspawn.c (+2/-2) src/partition/growfs.c (+5/-1) src/partition/repart.c (+2/-2) src/portable/profile/trusted/service.conf (+2/-1) src/resolve/resolved-bus.c (+1/-7) src/resolve/resolved-dns-cache.c (+28/-6) src/resolve/resolved-dns-cache.h (+1/-1) src/resolve/resolved-dns-packet.c (+28/-10) src/resolve/resolved-dns-packet.h (+2/-0) src/resolve/resolved-dns-scope.c (+11/-8) src/resolve/resolved-dns-transaction.c (+157/-104) src/resolve/resolved-dns-transaction.h (+0/-4) src/resolve/resolved-mdns.c (+25/-10) src/rpm/macros.systemd.in (+1/-0) src/shared/base-filesystem.c (+1/-1) src/shared/dissect-image.c (+1/-0) src/shared/dns-domain.c (+1/-1) src/shared/json.c (+3/-1) src/shared/logs-show.c (+1/-1) src/shared/mount-util.c (+2/-0) src/shared/seccomp-util.c (+1/-0) src/shared/utmp-wtmp.h (+1/-1) src/sleep/sleep.conf (+1/-1) src/sysext/sysext.c (+1/-0) src/systemctl/systemctl-list-unit-files.c (+1/-1) src/systemctl/systemctl-show.c (+4/-4) src/systemctl/systemctl-util.c (+3/-1) src/systemctl/systemctl.c (+6/-5) src/systemd/_sd-common.h (+1/-1) src/test/test-dns-domain.c (+1/-0) src/test/test-loop-block.c (+1/-0) src/test/test-sd-hwdb.c (+1/-1) src/test/test-set.c (+30/-0) src/test/test-time-util.c (+5/-0) src/tmpfiles/tmpfiles.c (+8/-11) src/udev/udev-rules.c (+4/-4) src/udev/udevd.c (+1/-1) test/units/testsuite-04.sh (+1/-1) test/units/testsuite-67.sh (+25/-4) units/modprobe@.service (+1/-0) units/systemd-udev-trigger.service (+1/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Lukas Märdian		2022-08-17	Approve on 2022-08-24
Review via email: mp+428504@code.launchpad.net

Description of the change

Merge of systemd 251.4-1 from Debian. I will post the PPA autopkgtest results when they have finished.

Revision history for this message

Lukas Märdian (slyon) wrote on 2022-08-23 (last edit on 2022-08-23):

+1 for DENYLISTing the 29-PORTABLE test, it seems to fail more often than not. Maybe we could also update the upstream bug report with some logs from autopkgtest.ubuntu.com to provide some evidence.

As suggested earlier, I think we need to upgrade the systemd -> (Suggests:) -> systemd-resolved to something stronger, probably "Depends:" in Ubuntu. As Ubuntu has been using systemd-resolved by default for a while.

LGTM otherwise.

PS: I also like the enablement of systemd-homed, wanted to do this for a long time but never found the time (and a proper reason in Ubuntu) to get it enabled.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2022-08-23:

I opted to make systemd Recommends: systemd-resolved to avoid circular Depends: between the two packages. The Recommends: is strong enough to ensure that systemd-resolved is installed with systemd by default.

Some PPA autopkgtests are here: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-kinetic-enr0n-systemd-251/?format=plain

Something odd is going in with armhf (apt-source systemd fails), but I have not been able to re-create the issue outside autopkgtest.

On arm64, my PPA builder is using proposed by default, despite the PPA dependencies being configured otherwise. This means the package on arm64 wants libc6 2.36, which cannot be satisfied without proposed.

Still waiting for tests to finish on ppc64el, but tests are passing on amd64 and s390x.

Overall, we may have some work to do to get this version migrated, but I don't think we should block the upload on these PPA autopkgtest issues.

Revision history for this message

Lukas Märdian (slyon) wrote on 2022-08-24:

Thanks for explaining the test failures!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Dimitri John Ledkov

Nick Rosbrook

Ubuntu Core Development Team

 diff --git a/.gitignore b/.gitignore
 index 9763766..7b6d0a3 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -36,3 +36,4 @@ __pycache__/
  # Ignore any mkosi config files with "local" in the name
  /mkosi.default.d/**/*local*.conf
  /tags
++.dir-locals-2.el
 diff --git a/debian/changelog b/debian/changelog
 index 2c2c602..acbfad0 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,10 +1,195 @@
--systemd (251.2-2ubuntu3) UNRELEASED; urgency=medium
++systemd (251.4-1ubuntu1) kinetic; urgency=medium
--  * Cherry-pick upstream commit (3657d3a) to fix glibc 2.36 compat
--    File: debian/patches/glibc-Remove-include-linux-fs.h-to-resolve-fsconfig_comma.patch
--    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1e8048741cc0f811faf6b9e713a3fb7e38ef3503
++  * Merge 251.4-1 from Debian
++    - debian/rules: Keep our diff for TPM2 build on i386
++    - Drop EFI build patches.
++      An upstream patch that covers these changes was backported to the 251
++      stable branch.
++      Files:
++      - debian/patches/lp1979215-boot-efi-missing-.note.GNU-stack-section-implies-executab.patch
++      - debian/patches/lp1979236-boot-efi-set-no-warn-rwx-segments-on-arm.patch
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=983b46f110b5a6e32a28b87c4b9458442624c0cd
++    - Drop debian/patches/units-remove-the-restart-limit-on-the-modprobe-.service.patch.
++      This patch was backported to the 251 stable branch.
++      File: debian/patches/units-remove-the-restart-limit-on-the-modprobe-.service.patch
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=959fe326da87466775b37088e9bfd476056373ea
++    - debian/rules: update i386 debugedit workaround.
++      This linuxia32.elf.stub is shipped with systemd-boot-efi now, so update
++      the workaround to include that path as well.
++      File: debian/rules
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=354f9fccc94dcb0d555329921510d5f22e62351a
++  * test: denylist TEST-29-PORTABLE again
++    File: debian/patches/test-denylist-TEST-29-PORTABLE-again.patch
++    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6036de78481f8cbf3e8f3a52dac711c732d80c59
++  * debian/control: add systemd-resolved to systemd's Recommends:
++    In Ubuntu, systemd-resolved is used by default, so after the
++    systemd-resolved package split, we should have a stronger relationship
++    than Suggests: systemd-resolved.
++    File: debian/control
++    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=400bf9dd2cf83c91f47326769eff0259429f3e0a
++  * debian/control: add Recommends: systemd-hwe-hwdb to udev.
++    The systemd-hwe-hwdb brings in additional hwdb rules for HWE, so we want
++    those installed with udev by default.
++    File: debian/control
++    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=148d8d9cd4c260559ad944de3427f183e04858cc
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Tue, 23 Aug 2022 17:45:48 -0400
++
++systemd (251.4-1) unstable; urgency=medium
++
++  * New upstream version 251.4
++  * Rebase patches
++  * Rebuild against fixed dh-nss to avoid duplicates in /etc/nsswitch.conf
++    (Closes: #1017096)
++
++ -- Michael Biebl <biebl@debian.org>  Sun, 14 Aug 2022 20:06:18 +0200
++
++systemd (251.3-2) unstable; urgency=medium
++
++  [ Luca Boccassi ]
++  * libnss-systemd: also let userdbd manage passwords.
++    As of upstream commit:
++    https://github.com/systemd/systemd/commit/f43a19ecd6e3415e
++    in v249 userdbd can also synthesize shadow/gshadow records,
++    so add the shadow config to nsswitch.conf on installation.
++    (Closes: #1004326)
++  * homed: make PAM rules higher priority than unix users.
++    Make sure homed is tried first when logging in. This is required
++    after adding nss-systemd support for 'shadow' in /etc/nsswitch.conf.
++    See Arch bug: https://bugs.archlinux.org/task/72967
++
++  [ Gioele Barabucci ]
++  * d/control: Use dh_installnss
++  * d/libnss-myhostname.nss: Install NSS service `myhostname` via dh_installnss
++  * d/libnss-mymaschines.nss: Install NSS service `mymaschines` via dh_installnss
++  * d/libnss-resolve.nss: Install NSS service `resolve` via dh_installnss
++  * d/libnss-systemd.nss: Install NSS service `systemd` via dh_installnss
++
++ -- Michael Biebl <biebl@debian.org>  Fri, 12 Aug 2022 19:06:38 +0200
++
++systemd (251.3-2~exp2) experimental; urgency=medium
++
++  * Note in systemd.NEWS that resolved has moved to a new package
++  * systemd-resolved: move conffile from systemd. Copied from systemd-
++    timesyncd
++
++ -- Luca Boccassi <bluca@debian.org>  Sun, 07 Aug 2022 00:06:03 +0100
++
++systemd (251.3-2~exp1) experimental; urgency=medium
++
++  * Split systemd-resolved into its own package which takes over
++    /etc/resolv.conf (Closes: #939904)
++
++ -- Luca Boccassi <bluca@debian.org>  Thu, 04 Aug 2022 14:55:48 +0100
++
++systemd (251.3-1) unstable; urgency=medium
++
++  * New upstream version 251.3
++  * Rebase patches
++
++ -- Michael Biebl <biebl@debian.org>  Wed, 13 Jul 2022 23:05:40 +0200
++
++systemd (251.2-8) unstable; urgency=medium
++
++  * autopkgtest: install openssl for upstream test.
++    Install openssl explicitly and do not rely on other packages, like
++    swtpm-libs, to pull this dependency for us.
++    Used by TEST-50-DISSECT, which otherwise just silently skips the test.
++  * Add versioned dependency on init-system-helpers to systemd-homed.
++    Ensure that we have a version of deb-systemd-helper which properly
++    handles loops in Also= dependencies. (Closes: #1014115)
++  * Demote shlibs dependencies of libsystemd0 from Pre-Depends to Depends.
++    As systemctl, which is quasi-essential, no longer links against
++    libsystemd0, we do not need those strict requirements anymore.
++  * Work around some more dh_installman issues
-- -- Lukas Märdian <slyon@ubuntu.com>  Mon, 15 Aug 2022 15:29:16 +0200
++ -- Michael Biebl <biebl@debian.org>  Wed, 06 Jul 2022 21:23:38 +0200
++
++systemd (251.2-7) unstable; urgency=medium
++
++  [ Luca Boccassi ]
++  * sd-boot: add kernel hooks scripts
++
++  [ Andrea Pappacoda ]
++  * sd-boot: add initramfs hook (Closes: #826045)
++
++  [ Michael Biebl ]
++  * sd-boot: exit early in initramfs and kernel hook scripts if package is
++    removed but not purged
++  * Do not fail with older binutils.
++    Test if the linker supports --no-warn-execstack and --no-warn-rwx-segments
++    before using those flags. (Closes: #1013967)
++
++ -- Michael Biebl <biebl@debian.org>  Tue, 28 Jun 2022 14:33:37 +0200
++
++systemd (251.2-6) unstable; urgency=medium
++
++  [ Helmut Grohne ]
++  * Mark systemd-userdbd and systemd-homed as !stage1 (Closes: #1012738)
++
++  [ Luca Boccassi ]
++  * Remove unused Lintian overrides
++  * Stop overriding the build directory name.
++    We don't do a separate udeb build anymore, so there's no need
++    to specify a separate build directory.
++  * Use execute_before_/after_ instead of override_
++  * Add nodoc profile support.
++    Co-authored-by: Michael Biebl <biebl@debian.org>
++
++  [ Michael Biebl ]
++  * Do not fail EFI build with newer binutils (Closes: #1013482)
++  * shared/microhttp-util: silence gcc warning
++  * Clarify NEWS message about systemd-boot split (Closes: #1013340)
++
++ -- Michael Biebl <biebl@debian.org>  Fri, 24 Jun 2022 10:12:34 +0200
++
++systemd (251.2-5) unstable; urgency=medium
++
++  * Tweak description of systemd-homed package
++  * Move shlibs dependencies of libsystemd-shared from Pre-Depends to Depends
++    (Closes: #1012637)
++  * Add versioned Breaks against sicherboot for the systemd-boot split
++    (Closes: #1012625)
++  * Drop old Conflicts against hal from udev.
++    The hal package has been gone for several release cycles, so this
++    Conflicts should not be necessary anymore.
++
++ -- Michael Biebl <biebl@debian.org>  Fri, 10 Jun 2022 23:51:50 +0200
++
++systemd (251.2-4) unstable; urgency=medium
++
++  * Use try-restart in systemd-binfmt dpkg trigger
++  * Fix bashism in kernel-install
++  * Upload to unstable
++
++ -- Michael Biebl <biebl@debian.org>  Fri, 10 Jun 2022 09:16:48 +0200
++
++systemd (251.2-3) experimental; urgency=medium
++
++  [ Luca Boccassi ]
++  * Add systemd-userdbd package. This can be used to synthetize dynamic
++    user/groups, and can be useful by itself. It will also be used by
++    homed.
++  * Add systemd-homed package (Closes: #976960)
++  * Add systemd-boot-efi multiarch package. Allows EFI binaries for
++    different architectures to be co-installed. Useful when the EFI has a
++    different architecture, or to manipulate images. The userspace tooling
++    doesn't need to match the EFI binaries. Also allows one to reduce the
++    number of packages and dependencies needed when i386 is not a full
++    architecture, but a subset for libraries and for EFI support.
++
++  [ Michael Biebl ]
++  * Move homectl and userdbctl to /usr/bin
++  * Install libsystemd-shared into rootpkglibdir
++  * Split out libsystemd-shared into its own package. Since libsystem-
++    shared is an internal implementation detail, do not generate a shlibs
++    file for it. This means dh_shlibdeps needs to be told explicitly where
++    it can find libsystemd-shared. Mark this new package as Multi-Arch:
++    same. (Closes: #990547)
++  * Split out systemd-boot into its own package
++  * Add NEWS entry for the systemd-boot package split
++
++ -- Luca Boccassi <bluca@debian.org>  Wed, 08 Jun 2022 23:56:04 +0100
  systemd (251.2-2ubuntu2) kinetic; urgency=medium
 diff --git a/debian/control b/debian/control
 index d940ed4..6bafebb 100644
 --- a/debian/control
 +++ b/debian/control
@@ -15,11 +15,12 @@ Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd
  Vcs-Browser:  https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd
  Homepage: https://www.freedesktop.org/wiki/Software/systemd
  Build-Depends: debhelper-compat (= 13),
++               dh-sequence-installnss,
                 dh-sequence-package-notes,
                 pkg-config,
--               xsltproc,
--               docbook-xsl,
--               docbook-xml,
++               xsltproc <!nodoc>,
++               docbook-xsl <!nodoc>,
++               docbook-xml <!nodoc>,
                 meson (>= 0.53.2),
                 gettext,
                 gperf,
@@ -75,7 +76,11 @@ Priority: important
  Recommends: default-dbus-system-bus | dbus-system-bus,
              networkd-dispatcher,
              systemd-timesyncd | time-daemon,
++            systemd-resolved,
  Suggests: systemd-container,
++          systemd-homed,
++          systemd-userdbd,
++          systemd-boot,
            libfido2-1,
            libtss2-esys-3.0.2-0,
            libtss2-mu0,
@@ -94,6 +99,7 @@ Conflicts: consolekit,
  Breaks: resolvconf (<< 1.83~),
          udev (<< 247~),
          less (<< 563),
++        sicherboot (<< 0.1.6),
  Provides: systemd-sysusers (= ${binary:Version}),
            systemd-tmpfiles (= ${binary:Version}),
  Description: system and service manager
@@ -272,11 +278,11 @@ Multi-Arch: same
  Pre-Depends: ${misc:Pre-Depends}
  Depends: ${shlibs:Depends},
           ${misc:Depends},
--         systemd (= ${binary:Version}),
++         systemd-resolved (= ${binary:Version}),
  Description: nss module to resolve names via systemd-resolved
   nss-resolve is a plugin for the GNU Name Service Switch (NSS) functionality
   of the GNU C Library (glibc) providing DNS and LLMNR resolution to programs via
-- the systemd-resolved daemon (provided in the systemd package).
++ the systemd-resolved daemon (provided in the systemd-resolved package).
+  .
   Installing this package automatically adds resolve to /etc/nsswitch.conf.
@@ -301,9 +307,8 @@ Package: libsystemd0
  Architecture: linux-any
  Multi-Arch: same
  Section: libs
--Pre-Depends: ${shlibs:Depends},
--             ${misc:Pre-Depends}
--Depends: ${misc:Depends}
++Depends: ${shlibs:Depends},
++         ${misc:Depends}
  Description: systemd utility library
   This library provides APIs to interface with various system components such as
   the system journal, the system service manager, D-Bus and more.
@@ -321,6 +326,18 @@ Description: systemd utility library - development files
   This package contains the files needed for developing applications that
   use libsystemd.
++Package: libsystemd-shared
++Architecture: linux-any
++Multi-Arch: same
++Section: libs
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${shlibs:Depends},
++         ${misc:Depends}
++Description: systemd shared private library
++ This internal shared library provides common code used by various systemd
++ components. It is supposed to decrease memory and disk footprint.
++ The shared library is not meant for public use and is not API or ABI stable.
++
  Package: udev
  Priority: important
  Architecture: linux-any
@@ -331,7 +348,7 @@ Depends: ${shlibs:Depends},
           adduser,
           libudev1 (= ${binary:Version}),
           s390-tools [s390],
--Conflicts: hal
++Recommends: systemd-hwe-hwdb,
  Breaks: systemd (<< ${binary:Version}),
  Description: /dev/ and hotplug management daemon
   udev is a daemon which dynamically creates and removes device nodes from
@@ -427,3 +444,87 @@ Description: userspace out-of-memory (OOM) killer
   systemd-oomd is a system service that uses cgroups-v2 and
   pressure stall information (PSI) to monitor and take action on
   processes before an OOM occurs in kernel space.
++
++Package: systemd-userdbd
++Build-Profiles: <!stage1>
++Architecture: linux-any
++Depends: ${shlibs:Depends},
++         ${misc:Depends},
++         systemd (= ${binary:Version}),
++Description: dynamic user/group manager
++ systemd-userdbd is a system service that multiplexes user/group lookups to all
++ local services that provide JSON user/group record definitions to the system.
++ In addition it synthesizes JSON user/group records from classic UNIX/glibc NSS
++ user/group records in order to provide full backwards compatibility. It may
++ also pick up statically defined JSON user/group records from drop-in files.
++
++Package: systemd-homed
++Build-Profiles: <!stage1>
++Architecture: linux-any
++Pre-Depends: ${misc:Pre-Depends},
++             init-system-helpers (>= 1.64~),
++Depends: ${shlibs:Depends},
++         ${misc:Depends},
++         systemd-userdbd (= ${binary:Version}),
++         systemd (= ${binary:Version}),
++         libpam-runtime,
++Description: home area manager
++ systemd-homed is a system service designed to manage home directories. This
++ package includes the homed service, a PAM module to automatically mount home
++ directories on user login, tools and documentation.
++
++Package: systemd-boot
++Architecture: amd64 i386 arm64 armhf
++Depends: ${shlibs:Depends},
++         ${misc:Depends},
++         systemd-boot-efi (= ${binary:Version}),
++Recommends: efibootmgr,
++Breaks: systemd (<< 251.2-3~)
++Replaces: systemd (<< 251.2-3~)
++Description: simple UEFI boot manager - tools and services
++ systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
++ textual menu to select the entry to boot and an editor for the kernel command
++ line. It supports systems with UEFI firmware only.
++ .
++ Installing systemd-boot will not automatically switch your boot loader.
++ .
++ This package contains various tools and services to manage systems using
++ systemd-boot.
++
++Package: systemd-boot-efi
++Architecture: amd64 i386 arm64 armhf
++Multi-Arch: same
++Pre-Depends: ${misc:Pre-Depends},
++Depends: ${misc:Depends},
++Breaks: systemd (<< 251.2-3~)
++Replaces: systemd (<< 251.2-3~)
++Description: simple UEFI boot manager - EFI binaries
++ systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
++ textual menu to select the entry to boot and an editor for the kernel command
++ line. It supports systems with UEFI firmware only.
++ .
++ This package contains the EFI binaries.
++
++Package: systemd-resolved
++Multi-Arch: foreign
++Architecture: linux-any
++Pre-Depends: ${misc:Pre-Depends}
++Depends: ${shlibs:Depends},
++         ${misc:Depends},
++         adduser,
++         systemd (= ${binary:Version}),
++         default-dbus-system-bus | dbus-system-bus
++Recommends: libnss-myhostname,
++            libnss-resolve,
++Suggests: policykit-1,
++Provides: resolvconf
++Conflicts: resolvconf
++Replaces: resolvconf,
++          systemd (<< 251.3-2~)
++Breaks: systemd (<< 251.3-2~)
++Description: systemd DNS resolver
++ This package provides systemd's DNS resolver and the command line tool to
++ manage it.
++ .
++ Installing this package automatically overwrites /etc/resolv.conf and switches
++ it to be managed by systemd-resolved.
 diff --git a/debian/extra/initramfs/post-update.d/systemd-boot b/debian/extra/initramfs/post-update.d/systemd-boot
 new file mode 100755
 index 0000000..1cee51c
 --- /dev/null
 +++ b/debian/extra/initramfs/post-update.d/systemd-boot
@@ -0,0 +1,11 @@
++#!/bin/sh
++
++set -eu
++
++test -x /usr/bin/bootctl || exit 0
++
++bootctl is-installed --quiet || exit 0
++
++echo "Updating kernel version $1 in systemd-boot..."
++
++kernel-install add "$1" "/boot/vmlinuz-$1" "$2"
 diff --git a/debian/extra/kernel/postinst.d/systemd-boot b/debian/extra/kernel/postinst.d/systemd-boot
 new file mode 100755
 index 0000000..8901140
 --- /dev/null
 +++ b/debian/extra/kernel/postinst.d/systemd-boot
@@ -0,0 +1,11 @@
++#!/bin/sh
++
++set -e
++
++test -x /usr/bin/bootctl || exit 0
++
++bootctl is-installed --quiet || exit 0
++
++echo "Installing kernel version $1 in systemd-boot..."
++
++kernel-install add "$1" "$2"
 diff --git a/debian/extra/kernel/postrm.d/systemd-boot b/debian/extra/kernel/postrm.d/systemd-boot
 new file mode 100755
 index 0000000..4db5e51
 --- /dev/null
 +++ b/debian/extra/kernel/postrm.d/systemd-boot
@@ -0,0 +1,11 @@
++#!/bin/sh
++
++set -e
++
++test -x /usr/bin/bootctl || exit 0
++
++bootctl is-installed --quiet || exit 0
++
++echo "Removing kernel version $1 from systemd-boot..."
++
++kernel-install remove "$1"
 diff --git a/debian/extra/pam-configs/systemd-homed b/debian/extra/pam-configs/systemd-homed
 new file mode 100644
 index 0000000..0613efc
 --- /dev/null
 +++ b/debian/extra/pam-configs/systemd-homed
@@ -0,0 +1,15 @@
++Name: Enable user management by systemd-homed
++Default: yes
++Priority: 257
++Auth-Type: Primary
++Auth:
++	[success=end default=ignore]	pam_systemd_home.so
++Account-Type: Primary
++Account:
++	[success=end default=ignore]	pam_systemd_home.so
++Session-Type: Additional
++Session:
++	optional	pam_systemd_home.so
++Password-Type: Primary
++Password:
++	[success=end default=ignore]	pam_systemd_home.so
 diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
 index f39ddcf..c405d57 100644
 --- a/debian/gitlab-ci.yml
 +++ b/debian/gitlab-ci.yml
@@ -9,3 +9,5 @@ variables:
    # Many false positives due to issue in binutils:
    # https://bugs.debian.org/1000977
    SALSA_CI_LINTIAN_SUPPRESS_TAGS: "elf-error"
++  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011649
++  SALSA_CI_DISABLE_PIUPARTS: 1
 diff --git a/debian/libnss-myhostname.install b/debian/libnss-myhostname.install
 index 758fe00..fa88dd6 100644
 --- a/debian/libnss-myhostname.install
 +++ b/debian/libnss-myhostname.install
@@ -1,3 +1 @@
  usr/lib/*/libnss_myhostname*.so.*
--usr/share/man/man8/libnss_myhostname.so.2.8
--usr/share/man/man8/nss-myhostname.8
 diff --git a/debian/libnss-myhostname.manpages b/debian/libnss-myhostname.manpages
 new file mode 100644
 index 0000000..d3ba44d
 --- /dev/null
 +++ b/debian/libnss-myhostname.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man8/libnss_myhostname.so.2.8
++usr/share/man/man8/nss-myhostname.8
 diff --git a/debian/libnss-myhostname.nss b/debian/libnss-myhostname.nss
 new file mode 100644
 index 0000000..0ef4054
 --- /dev/null
 +++ b/debian/libnss-myhostname.nss
@@ -0,0 +1 @@
++hosts	last	myhostname
 diff --git a/debian/libnss-myhostname.postinst b/debian/libnss-myhostname.postinst
 deleted file mode 100644
 index 1ee0c99..0000000
 --- a/debian/libnss-myhostname.postinst
 +++ /dev/null
@@ -1,41 +0,0 @@
--#!/bin/sh
--
--set -e
--
--# This code was taken from libnss-myhostname
--
--# try to insert myhostname entries to the "hosts" line in /etc/nsswitch.conf to
--# automatically enable libnss-myhostname support; do not change the
--# configuration if the "hosts" line already references some myhostname lookups
--insert_nss_entry() {
--    echo "Checking NSS setup..."
--    # abort if /etc/nsswitch.conf does not exist
--    if ! [ -e /etc/nsswitch.conf ]; then
--        echo "Could not find /etc/nsswitch.conf."
--        return
--    fi
--    perl -i -pe '
--        sub insert {
--            my $line = shift;
--            # this also splits on tab
--            my @bits=split(" ", $line);
--            # do not break configuration if the "hosts" line already references
--            # myhostname
--            if (grep { $_ eq "myhostname"} @bits) {
--                return $line;
--            }
--            # add myhostname at the end
--            return $line . " myhostname";
--        }
--        s/^(hosts:\s+)(.*)/$1.insert($2)/e;
--    ' /etc/nsswitch.conf
--}
--
--if [ "$1" = configure ] && [ -z "$2" ]; then
--    echo "First installation detected..."
--    # first install: setup the recommended configuration (unless
--    # nsswitch.conf already contains myhostname entries)
--    insert_nss_entry
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-myhostname.postrm b/debian/libnss-myhostname.postrm
 deleted file mode 100644
 index 90e3c38..0000000
 --- a/debian/libnss-myhostname.postrm
 +++ /dev/null
@@ -1,29 +0,0 @@
--#!/bin/sh
--
--set -e
--
--remove_nss_entry() {
--    local file=$1
--    local pkg=$2
--    local module=$3
--    refcount=$(dpkg-query -f '${db:Status-Abbrev} ${binary:Package}\n' \
--        -W $pkg | grep '^i' | wc -l)
--    if [ "$refcount" -gt 0 ] ; then
--        # package is installed for other architectures still, do nothing
--        return
--    fi
--    echo "Checking NSS setup..."
--    # abort if file does not exist
--    if ! [ -e $file ]; then
--        echo "Could not find ${file}."
--        return
--    fi
--    # we must remove possible [foo=bar] options as well
--    sed -i -r "/hosts:/ s/[[:space:]]+$module\b([[:space:]]*\[[^]]*\])*//" $file
--}
--
--if [ "$1" = remove ]; then
--    remove_nss_entry /etc/nsswitch.conf libnss-myhostname myhostname
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-mymachines.install b/debian/libnss-mymachines.install
 index 1923505..50e7d2e 100644
 --- a/debian/libnss-mymachines.install
 +++ b/debian/libnss-mymachines.install
@@ -1,3 +1 @@
  usr/lib/*/libnss_mymachines*.so.*
--usr/share/man/man8/libnss_mymachines.so.2.8
--usr/share/man/man8/nss-mymachines.8
 diff --git a/debian/libnss-mymachines.manpages b/debian/libnss-mymachines.manpages
 new file mode 100644
 index 0000000..7afe71d
 --- /dev/null
 +++ b/debian/libnss-mymachines.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man8/libnss_mymachines.so.2.8
++usr/share/man/man8/nss-mymachines.8
 diff --git a/debian/libnss-mymachines.nss b/debian/libnss-mymachines.nss
 new file mode 100644
 index 0000000..dd7e3a1
 --- /dev/null
 +++ b/debian/libnss-mymachines.nss
@@ -0,0 +1 @@
++hosts	last	mymachines
 diff --git a/debian/libnss-mymachines.postinst b/debian/libnss-mymachines.postinst
 deleted file mode 100644
 index 165a80a..0000000
 --- a/debian/libnss-mymachines.postinst
 +++ /dev/null
@@ -1,41 +0,0 @@
--#!/bin/sh
--
--set -e
--
--# This code was taken from libnss-myhostname
--
--# try to insert mymachines entries to the "hosts" line in /etc/nsswitch.conf to
--# automatically enable libnss-mymachines support; do not change the
--# configuration if the "hosts" line already references some mymachines lookups
--insert_nss_entry() {
--    echo "Checking NSS setup..."
--    # abort if /etc/nsswitch.conf does not exist
--    if ! [ -e /etc/nsswitch.conf ]; then
--        echo "Could not find /etc/nsswitch.conf."
--        return
--    fi
--    perl -i -pe '
--        sub insert {
--            my $line = shift;
--            # this also splits on tab
--            my @bits=split(" ", $line);
--            # do not break configuration if the "hosts" line already references
--            # mymachines
--            if (grep { $_ eq "mymachines"} @bits) {
--                return $line;
--            }
--            # add mymachines at the end
--            return $line . " mymachines";
--        }
--        s/^(hosts:\s+)(.*)/$1.insert($2)/e;
--    ' /etc/nsswitch.conf
--}
--
--if [ "$1" = configure ] && [ -z "$2" ]; then
--    echo "First installation detected..."
--    # first install: setup the recommended configuration (unless
--    # nsswitch.conf already contains mymachines entries)
--    insert_nss_entry
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-mymachines.postrm b/debian/libnss-mymachines.postrm
 deleted file mode 100644
 index c8fb09c..0000000
 --- a/debian/libnss-mymachines.postrm
 +++ /dev/null
@@ -1,29 +0,0 @@
--#!/bin/sh
--
--set -e
--
--remove_nss_entry() {
--    local file=$1
--    local pkg=$2
--    local module=$3
--    refcount=$(dpkg-query -f '${db:Status-Abbrev} ${binary:Package}\n' \
--        -W $pkg | grep '^i' | wc -l)
--    if [ "$refcount" -gt 0 ] ; then
--        # package is installed for other architectures still, do nothing
--        return
--    fi
--    echo "Checking NSS setup..."
--    # abort if file does not exist
--    if ! [ -e $file ]; then
--        echo "Could not find ${file}."
--        return
--    fi
--    # we must remove possible [foo=bar] options as well
--    sed -i -r "/hosts:/ s/[[:space:]]+$module\b([[:space:]]*\[[^]]*\])*//" $file
--}
--
--if [ "$1" = remove ]; then
--    remove_nss_entry /etc/nsswitch.conf libnss-mymachines mymachines
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-resolve.install b/debian/libnss-resolve.install
 index 871aac0..3554b53 100644
 --- a/debian/libnss-resolve.install
 +++ b/debian/libnss-resolve.install
@@ -1,3 +1 @@
  usr/lib/*/libnss_resolve*.so.*
--usr/share/man/man8/libnss_resolve.so.2.8
--usr/share/man/man8/nss-resolve.8
 diff --git a/debian/libnss-resolve.lintian-overrides b/debian/libnss-resolve.lintian-overrides
 index d29b4e3..06097e8 100644
 --- a/debian/libnss-resolve.lintian-overrides
 +++ b/debian/libnss-resolve.lintian-overrides
@@ -1,3 +1,2 @@
  # Lintian is really bad at associating manpages
  libnss-resolve: spare-manual-page
--libnss-resolve: maintainer-script-calls-systemctl
 diff --git a/debian/libnss-resolve.manpages b/debian/libnss-resolve.manpages
 new file mode 100644
 index 0000000..b3c5a78
 --- /dev/null
 +++ b/debian/libnss-resolve.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man8/libnss_resolve.so.2.8
++usr/share/man/man8/nss-resolve.8
 diff --git a/debian/libnss-resolve.nss b/debian/libnss-resolve.nss
 new file mode 100644
 index 0000000..a7142b3
 --- /dev/null
 +++ b/debian/libnss-resolve.nss
@@ -0,0 +1 @@
++hosts	before=dns	resolve [!UNAVAIL=return]
 diff --git a/debian/libnss-resolve.postinst b/debian/libnss-resolve.postinst
 deleted file mode 100644
 index 382364e..0000000
 --- a/debian/libnss-resolve.postinst
 +++ /dev/null
@@ -1,48 +0,0 @@
--#!/bin/sh
--
--set -e
--
--# This code was taken from libnss-myhostname
--
--# try to insert resolve entries to the "hosts" line in /etc/nsswitch.conf to
--# automatically enable libnss-resolve support; do not change the
--# configuration if the "hosts" line already references some resolve lookups
--insert_nss_entry() {
--    echo "Checking NSS setup..."
--    # abort if /etc/nsswitch.conf does not exist
--    if ! [ -e /etc/nsswitch.conf ]; then
--        echo "Could not find /etc/nsswitch.conf."
--        return
--    fi
--    perl -i -pe '
--        sub insert {
--            my $line = shift;
--            # this also splits on tab
--            my @bits=split(" ", $line);
--            # do not break configuration if the "hosts" line already references
--            # resolve
--            if (grep { $_ eq "resolve"} @bits) {
--                return $line;
--            }
--            # add resolve before dns
--            return join " ", map {
--                $_ eq "dns" ? ("resolve [!UNAVAIL=return]", "$_") : $_
--            } @bits;
--        }
--        s/^(hosts:\s+)(.*)/$1.insert($2)/e;
--    ' /etc/nsswitch.conf
--}
--
--if [ "$1" = configure ] && [ -z "$2" ]; then
--    echo "First installation detected..."
--    # first install: setup the recommended configuration (unless
--    # nsswitch.conf already contains resolve entries)
--    insert_nss_entry
--    # ... and enable resolved
--    systemctl enable systemd-resolved.service
--    if [ -d /run/systemd/system ]; then
--        deb-systemd-invoke start systemd-resolved.service || true
--    fi
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-resolve.postrm b/debian/libnss-resolve.postrm
 deleted file mode 100644
 index 32b9b8f..0000000
 --- a/debian/libnss-resolve.postrm
 +++ /dev/null
@@ -1,29 +0,0 @@
--#!/bin/sh
--
--set -e
--
--remove_nss_entry() {
--    local file=$1
--    local pkg=$2
--    local module=$3
--    refcount=$(dpkg-query -f '${db:Status-Abbrev} ${binary:Package}\n' \
--        -W $pkg | grep '^i' | wc -l)
--    if [ "$refcount" -gt 0 ] ; then
--        # package is installed for other architectures still, do nothing
--        return
--    fi
--    echo "Checking NSS setup..."
--    # abort if file does not exist
--    if ! [ -e $file ]; then
--        echo "Could not find ${file}."
--        return
--    fi
--    # we must remove possible [foo=bar] options as well
--    sed -i -r "/hosts:/ s/[[:space:]]+$module\b([[:space:]]*\[[^]]*\])*//" $file
--}
--
--if [ "$1" = remove ]; then
--    remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-systemd.install b/debian/libnss-systemd.install
 index 858f307..df23cb8 100644
 --- a/debian/libnss-systemd.install
 +++ b/debian/libnss-systemd.install
@@ -1,3 +1 @@
  usr/lib/*/libnss_systemd*.so.*
--usr/share/man/man8/libnss_systemd*
--usr/share/man/man8/nss-systemd*
 diff --git a/debian/libnss-systemd.manpages b/debian/libnss-systemd.manpages
 new file mode 100644
 index 0000000..bf1e840
 --- /dev/null
 +++ b/debian/libnss-systemd.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man8/libnss_systemd*
++usr/share/man/man8/nss-systemd*
 diff --git a/debian/libnss-systemd.nss b/debian/libnss-systemd.nss
 new file mode 100644
 index 0000000..9c3f443
 --- /dev/null
 +++ b/debian/libnss-systemd.nss
@@ -0,0 +1,4 @@
++passwd	last	systemd
++group	last	systemd
++shadow	last	systemd
++gshadow	last	systemd
 diff --git a/debian/libnss-systemd.postinst b/debian/libnss-systemd.postinst
 deleted file mode 100644
 index 16040bc..0000000
 --- a/debian/libnss-systemd.postinst
 +++ /dev/null
@@ -1,39 +0,0 @@
--#!/bin/sh
--
--set -e
--
--# try to insert the systemd entry to the "passwd" and "group" lines in
--# /etc/nsswitch.conf to automatically enable libnss-systemd support; do not
--# change the configuration if the lines already contain "systemd"
--insert_nss_entry() {
--    echo "Checking NSS setup..."
--    # abort if /etc/nsswitch.conf does not exist
--    if ! [ -e /etc/nsswitch.conf ]; then
--        echo "Could not find /etc/nsswitch.conf."
--        return
--    fi
--    perl -i -pe '
--        sub insert {
--            my $line = shift;
--            # this also splits on tab
--            my @bits=split(" ", $line);
--            # do not break configuration if the line already references
--            # systemd
--            if (grep { $_ eq "systemd"} @bits) {
--                return $line;
--            }
--            # add systemd at the end
--            return $line . " systemd";
--        }
--        s/^(passwd:\s+)(.*)/$1.insert($2)/e;
--        s/^(group:\s+)(.*)/$1.insert($2)/e;
--    ' /etc/nsswitch.conf
--}
--
--if [ "$1" = configure ] && [ -z "$2" ]; then
--    echo "First installation detected..."
--    # first install: setup the recommended configuration
--    insert_nss_entry
--fi
--
--#DEBHELPER#
 diff --git a/debian/libnss-systemd.postrm b/debian/libnss-systemd.postrm
 deleted file mode 100644
 index ce8e954..0000000
 --- a/debian/libnss-systemd.postrm
 +++ /dev/null
@@ -1,29 +0,0 @@
--#!/bin/sh
--
--set -e
--
--remove_nss_entry() {
--    local file=$1
--    local pkg=$2
--    local module=$3
--    refcount=$(dpkg-query -f '${db:Status-Abbrev} ${binary:Package}\n' \
--        -W $pkg | grep '^i' | wc -l)
--    if [ "$refcount" -gt 0 ] ; then
--        # package is installed for other architectures still, do nothing
--        return
--    fi
--    echo "Checking NSS setup..."
--    # abort if file does not exist
--    if ! [ -e $file ]; then
--        echo "Could not find ${file}."
--        return
--    fi
--    # we must remove possible [foo=bar] options as well
--    sed -i -r "/(passwd|group):/ s/[[:space:]]+$module\b([[:space:]]*\[[^]]*\])*//" $file
--}
--
--if [ "$1" = remove ]; then
--    remove_nss_entry /etc/nsswitch.conf libnss-systemd systemd
--fi
--
--#DEBHELPER#
 diff --git a/debian/libpam-systemd.install b/debian/libpam-systemd.install
 index 7b5a260..b4faf87 100644
 --- a/debian/libpam-systemd.install
 +++ b/debian/libpam-systemd.install
@@ -1,3 +1,2 @@
  lib/*/security/pam_systemd.so
--usr/share/man/man8/pam_systemd.8
--../extra/pam-configs usr/share/
++../extra/pam-configs/systemd usr/share/pam-configs/
 diff --git a/debian/libpam-systemd.manpages b/debian/libpam-systemd.manpages
 new file mode 100644
 index 0000000..d30ee0f
 --- /dev/null
 +++ b/debian/libpam-systemd.manpages
@@ -0,0 +1 @@
++usr/share/man/man8/pam_systemd.8
 diff --git a/debian/libsystemd-dev.install b/debian/libsystemd-dev.install
 index eef73a9..5a73373 100644
 --- a/debian/libsystemd-dev.install
 +++ b/debian/libsystemd-dev.install
@@ -1,5 +1,3 @@
  usr/include/systemd/
  usr/lib/*/libsystemd.so
  usr/lib/*/pkgconfig/libsystemd.pc
--usr/share/man/man3/sd*
--usr/share/man/man3/SD*
 diff --git a/debian/libsystemd-dev.manpages b/debian/libsystemd-dev.manpages
 new file mode 100644
 index 0000000..0723dcb
 --- /dev/null
 +++ b/debian/libsystemd-dev.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man3/sd*
++usr/share/man/man3/SD*
 diff --git a/debian/libsystemd-shared.install b/debian/libsystemd-shared.install
 new file mode 100644
 index 0000000..085a7cd
 --- /dev/null
 +++ b/debian/libsystemd-shared.install
@@ -0,0 +1,2 @@
++usr/lib/*/systemd/libsystemd-core-*.so
++usr/lib/*/systemd/libsystemd-shared-*.so
 diff --git a/debian/libsystemd-shared.lintian-overrides b/debian/libsystemd-shared.lintian-overrides
 new file mode 100644
 index 0000000..065ba9b
 --- /dev/null
 +++ b/debian/libsystemd-shared.lintian-overrides
@@ -0,0 +1,2 @@
++# Intentional: value of config got in a release by mistake, needs to be kept
++libsystemd-shared: spelling-error-in-binary usr/lib/*/systemd/libsystemd-shared-251.so anually annually
 diff --git a/debian/libudev-dev.install b/debian/libudev-dev.install
 index 3cd6bf0..ac9a6b4 100644
 --- a/debian/libudev-dev.install
 +++ b/debian/libudev-dev.install
@@ -1,5 +1,3 @@
  usr/include/libudev.h
  usr/lib/*/libudev.so
  usr/lib/*/pkgconfig/libudev.pc
--usr/share/man/man3/udev*
--usr/share/man/man3/libudev*
 diff --git a/debian/libudev-dev.manpages b/debian/libudev-dev.manpages
 new file mode 100644
 index 0000000..009109c
 --- /dev/null
 +++ b/debian/libudev-dev.manpages
@@ -0,0 +1,2 @@
++usr/share/man/man3/udev*
++usr/share/man/man3/libudev*
 diff --git a/debian/patches/Move-homectl-and-userdbctl-to-bindir.patch b/debian/patches/Move-homectl-and-userdbctl-to-bindir.patch
 new file mode 100644
 index 0000000..a07e5cd
 --- /dev/null
 +++ b/debian/patches/Move-homectl-and-userdbctl-to-bindir.patch
@@ -0,0 +1,35 @@
++From: Michael Biebl <biebl@debian.org>
++Date: Sat, 28 May 2022 12:00:08 +0200
++Subject: Move homectl and userdbctl to bindir
++
++Those binaries aren't needed during early boot.
++
++(cherry picked from commit 003a67616148a8c2b94aa0c87595465f5dcac508)
++---
++ meson.build | 6 ++----
++ 1 file changed, 2 insertions(+), 4 deletions(-)
++
++diff --git a/meson.build b/meson.build
++index dbba108..ecc5533 100644
++--- a/meson.build
+++++ b/meson.build
++@@ -2577,8 +2577,7 @@ if conf.get('ENABLE_USERDB') == 1
++                 link_with : [libshared],
++                 dependencies : [threads],
++                 install_rpath : rootlibexecdir,
++-                install : true,
++-                install_dir : rootbindir)
+++                install : true)
++ endif
++
++ if conf.get('ENABLE_HOMED') == 1
++@@ -2621,8 +2620,7 @@ if conf.get('ENABLE_HOMED') == 1
++                                 libp11kit,
++                                 libdl],
++                 install_rpath : rootlibexecdir,
++-                install : true,
++-                install_dir : rootbindir)
+++                install : true)
++
++         if conf.get('HAVE_PAM') == 1
++                 version_script_arg = project_source_root / pam_systemd_home_sym
 diff --git a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
 index 0c8f9f4..1c4762c 100644
 --- a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
 +++ b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
@@ -16,7 +16,7 @@ Closes: #981407
 files changed, 7 insertions(+), 3 deletions(-)
  diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
--index 3ff6eae..09ba381 100644
++index 11991ec..76893db 100644
  --- a/src/core/load-fragment.c
  +++ b/src/core/load-fragment.c
@@ -522,6 +522,7 @@ static int patch_var_run(
@@ -51,10 +51,10 @@ index 14ae873..aa9e94b 100644
                                       "Please update package to include a native systemd unit file, in order to make it more safe and robust.", fpath);
  diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
--index 94973c2..0d27daa 100644
++index 53cd570..7d71edd 100644
  --- a/src/tmpfiles/tmpfiles.c
  +++ b/src/tmpfiles/tmpfiles.c
--@@ -2760,6 +2760,7 @@ static int specifier_expansion_from_arg(const Specifier *specifier_table, Item *
++@@ -2757,6 +2757,7 @@ static int specifier_expansion_from_arg(const Specifier *specifier_table, Item *
   static int patch_var_run(const char *fname, unsigned line, char **path) {
           const char *k;
           char *n;
@@ -62,7 +62,7 @@ index 94973c2..0d27daa 100644
           assert(path);
           assert(*path);
--@@ -2785,7 +2786,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
++@@ -2782,7 +2783,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
           /* Also log about this briefly. We do so at LOG_NOTICE level, as we fixed up the situation automatically, hence
            * there's no immediate need for action by the user. However, in the interest of making things less confusing
            * to the user, let's still inform the user that these snippets should really be updated. */
 diff --git a/debian/patches/debian/Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch b/debian/patches/debian/Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch
 index 3cb53bc..9a39629 100644
 --- a/debian/patches/debian/Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch
 +++ b/debian/patches/debian/Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch
@@ -14,12 +14,12 @@ Closes: #971282
 files changed, 8 insertions(+), 8 deletions(-)
  diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
--index fc0f8c3..65996bb 100644
++index 693433b..8368a3f 100644
  --- a/src/core/systemd.pc.in
  +++ b/src/core/systemd.pc.in
--@@ -65,16 +65,16 @@ systemdshutdowndir=${systemd_shutdown_dir}
-- tmpfiles_dir=${prefix}/lib/tmpfiles.d
-- tmpfilesdir=${tmpfiles_dir}
++@@ -67,16 +67,16 @@ tmpfilesdir=${tmpfiles_dir}
++
++ user_tmpfiles_dir=${prefix}/share/user-tmpfiles.d
  -sysusers_dir=${rootprefix}/lib/sysusers.d
  +sysusers_dir=${prefix}/lib/sysusers.d
 diff --git a/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch b/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
 index 37f3a0a..6043efd 100644
 --- a/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
 +++ b/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
@@ -19,7 +19,7 @@ Bug-Debian: https://bugs.debian.org/815020
 files changed, 1 insertion(+), 21 deletions(-)
  diff --git a/src/core/main.c b/src/core/main.c
--index 409b84a..7989bbe 100644
++index 69d450a..badd385 100644
  --- a/src/core/main.c
  +++ b/src/core/main.c
@@ -1619,24 +1619,6 @@ static void cmdline_take_random_seed(void) {
@@ -47,7 +47,7 @@ index 409b84a..7989bbe 100644
   static void initialize_core_pattern(bool skip_setup) {
           int r;
--@@ -2765,8 +2747,6 @@ int main(int argc, char *argv[]) {
++@@ -2763,8 +2745,6 @@ int main(int argc, char *argv[]) {
                           kernel_timestamp = DUAL_TIMESTAMP_NULL;
+                  }
 diff --git a/debian/patches/debian/Use-Debian-specific-config-files.patch b/debian/patches/debian/Use-Debian-specific-config-files.patch
 index 3b25027..b7a2c6d 100644
 --- a/debian/patches/debian/Use-Debian-specific-config-files.patch
 +++ b/debian/patches/debian/Use-Debian-specific-config-files.patch
@@ -16,7 +16,7 @@ Read/write /etc/timezone if /etc/localtime does not exist.
 files changed, 164 insertions(+), 113 deletions(-)
  diff --git a/src/basic/time-util.c b/src/basic/time-util.c
--index c309369..6e3fbd1 100644
++index 0ad8de4..f0f0ef4 100644
  --- a/src/basic/time-util.c
  +++ b/src/basic/time-util.c
@@ -1477,19 +1477,43 @@ int get_timezone(char **ret) {
@@ -101,7 +101,7 @@ index 716febb..9818602 100644
                   char *s;
  diff --git a/src/locale/keymap-util.c b/src/locale/keymap-util.c
--index 9759f46..4eb48bb 100644
++index 2d1b982..96b7eca 100644
  --- a/src/locale/keymap-util.c
  +++ b/src/locale/keymap-util.c
@@ -91,6 +91,7 @@ void locale_simplify(char *locale[_VARIABLE_LC_MAX]) {
 diff --git a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
 index e028e3c..80211e4 100644
 --- a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
 +++ b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
@@ -239,10 +239,10 @@ index 0000000..b7ad58d
+ +
  +</refentry>
  diff --git a/meson.build b/meson.build
--index 36cbfa4..2abc0f1 100644
++index f73c7ff..d94e75d 100644
  --- a/meson.build
  +++ b/meson.build
--@@ -3207,6 +3207,15 @@ executable(
++@@ -3219,6 +3219,15 @@ executable(
           install : true,
           install_dir : rootlibexecdir)
@@ -251,7 +251,7 @@ index 36cbfa4..2abc0f1 100644
  +        'src/fsckd/fsckd.c',
  +        include_directories : includes,
  +        link_with : [libshared],
--+        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
  +        install : true,
  +        install_dir : rootlibexecdir)
+ +
 diff --git a/debian/patches/glibc-Remove-include-linux-fs.h-to-resolve-fsconfig_comma.patch b/debian/patches/glibc-Remove-include-linux-fs.h-to-resolve-fsconfig_comma.patch
 deleted file mode 100644
 index c11f3e8..0000000
 --- a/debian/patches/glibc-Remove-include-linux-fs.h-to-resolve-fsconfig_comma.patch
 +++ /dev/null
@@ -1,95 +0,0 @@
--From: Rudi Heitbaum <rudi@heitbaum.com>
--Date: Sat, 23 Jul 2022 10:38:49 +0000
--Subject: glibc: Remove #include <linux/fs.h> to resolve
--Origin: upstream,https://github.com/systemd/systemd/pull/23992
--
--fsconfig_command/mount_attr conflict with glibc 2.36
--Fixes: #23984
--
-----
-- meson.build             | 13 ++++++++++++-
-- src/basic/fd-util.c     |  2 ++
-- src/core/namespace.c    |  2 ++
-- src/shared/mount-util.c |  2 ++
-- 4 files changed, 18 insertions(+), 1 deletion(-)
--
--diff --git a/meson.build b/meson.build
--index 2abc0f1..9f00405 100644
----- a/meson.build
--+++ b/meson.build
--@@ -479,7 +479,6 @@ decl_headers = '''
-- #include <uchar.h>
-- #include <sys/mount.h>
-- #include <sys/stat.h>
---#include <linux/fs.h>
-- '''
--
-- foreach decl : ['char16_t',
--@@ -491,6 +490,17 @@ foreach decl : ['char16_t',
--         # We get -1 if the size cannot be determined
--         have = cc.sizeof(decl, prefix : decl_headers, args : '-D_GNU_SOURCE') > 0
--
--+        if decl == 'struct mount_attr'
--+                if have
--+                        want_linux_fs_h = false
--+                else
--+                        have = cc.sizeof(decl,
--+                                         prefix : decl_headers + '#include <linux/fs.h>',
--+                                         args : '-D_GNU_SOURCE') > 0
--+                        want_linux_fs_h = have
--+                endif
--+        endif
--+
--         if decl == 'struct statx'
--                 if have
--                         want_linux_stat_h = false
--@@ -506,6 +516,7 @@ foreach decl : ['char16_t',
-- endforeach
--
-- conf.set10('WANT_LINUX_STAT_H', want_linux_stat_h)
--+conf.set10('WANT_LINUX_FS_H', want_linux_fs_h)
--
-- foreach ident : ['secure_getenv', '__secure_getenv']
--         conf.set10('HAVE_' + ident.to_upper(), cc.has_function(ident))
--diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
--index 6c1de92..00591d6 100644
----- a/src/basic/fd-util.c
--+++ b/src/basic/fd-util.c
--@@ -3,7 +3,9 @@
-- #include <errno.h>
-- #include <fcntl.h>
-- #include <linux/btrfs.h>
--+#if WANT_LINUX_FS_H
-- #include <linux/fs.h>
--+#endif
-- #include <linux/magic.h>
-- #include <sys/ioctl.h>
-- #include <sys/resource.h>
--diff --git a/src/core/namespace.c b/src/core/namespace.c
--index 926aa96..c85a947 100644
----- a/src/core/namespace.c
--+++ b/src/core/namespace.c
--@@ -6,7 +6,9 @@
-- #include <stdio.h>
-- #include <sys/mount.h>
-- #include <unistd.h>
--+#if WANT_LINUX_FS_H
-- #include <linux/fs.h>
--+#endif
--
-- #include "alloc-util.h"
-- #include "base-filesystem.h"
--diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
--index e76e4a0..0c8dec7 100644
----- a/src/shared/mount-util.c
--+++ b/src/shared/mount-util.c
--@@ -7,7 +7,9 @@
-- #include <sys/statvfs.h>
-- #include <unistd.h>
-- #include <linux/loop.h>
--+#if WANT_LINUX_FS_H
-- #include <linux/fs.h>
--+#endif
--
-- #include "alloc-util.h"
-- #include "chase-symlinks.h"
 diff --git a/debian/patches/lp1979215-boot-efi-missing-.note.GNU-stack-section-implies-executab.patch b/debian/patches/lp1979215-boot-efi-missing-.note.GNU-stack-section-implies-executab.patch
 deleted file mode 100644
 index 150eb84..0000000
 --- a/debian/patches/lp1979215-boot-efi-missing-.note.GNU-stack-section-implies-executab.patch
 +++ /dev/null
@@ -1,32 +0,0 @@
--Description: Ignore 'missing .note.GNU-stack section implies executable stack' warning
--  This is actually caused by crt0-efi-x86_64.o from gnu-efi. Ignore the warning until
--  this package is fixed.
--Author: Nick Rosbrook <nick.rosbrook@canonical.com>
--Bug: https://sourceforge.net/p/gnu-efi/bugs/28/
--Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1979215
--Last-Update: 2022-06-20
-----
--From: Nick Rosbrook <nick.rosbrook@canonical.com>
--Date: Fri, 17 Jun 2022 14:48:49 -0400
--Subject: boot/efi: ignore 'missing .note.GNU-stack section implies executable stack' warning
--
--This actually comes from gnu-efi [1], so once that is fixed we can drop
--this patch.
--
--[1] https://sourceforge.net/p/gnu-efi/bugs/28/
-----
-- src/boot/efi/meson.build | 1 +
-- 1 file changed, 1 insertion(+)
--
--diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
--index 299a01b..6f0d7b9 100644
----- a/src/boot/efi/meson.build
--+++ b/src/boot/efi/meson.build
--@@ -256,6 +256,7 @@ efi_ldflags = [
--         '-Wl,--fatal-warnings',
--         '-Wl,--no-undefined',
--         '-Wl,--warn-common',
--+        '-Wl,--no-warn-execstack',
--         '-Wl,-Bsymbolic',
--         '-z', 'nocombreloc',
--         efi_crt0,
 diff --git a/debian/patches/lp1979236-boot-efi-set-no-warn-rwx-segments-on-arm.patch b/debian/patches/lp1979236-boot-efi-set-no-warn-rwx-segments-on-arm.patch
 deleted file mode 100644
 index 2e09a6d..0000000
 --- a/debian/patches/lp1979236-boot-efi-set-no-warn-rwx-segments-on-arm.patch
 +++ /dev/null
@@ -1,34 +0,0 @@
--Description: Set --no-warn-rwx-segments on arm
-- A new linker warning is causing FTBFS on arm. Until upstream systemd
-- has an appropriate patch, just disable the warning.
--Author: Nick Rosbrook <nick.rosbrook@canonical.com>
--Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1979236
--Last-Update: 2022-06-20
-----
--From: Nick Rosbrook <nick.rosbrook@canonical.com>
--Date: Fri, 17 Jun 2022 15:54:34 -0400
--Subject: boot/efi: set --no-warn-rwx-segments on arm
--
-----
-- src/boot/efi/meson.build | 2 ++
-- 1 file changed, 2 insertions(+)
--diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
--index 6f0d7b9..c0beffb 100644
----- a/src/boot/efi/meson.build
--+++ b/src/boot/efi/meson.build
--@@ -266,6 +266,7 @@ if efi_arch[1] in ['aarch64', 'arm', 'riscv64']
--         # Aarch64, ARM32 and 64bit RISC-V don't have an EFI capable objcopy.
--         # Use 'binary' instead, and add required symbols manually.
--         efi_ldflags += ['-Wl,--defsym=EFI_SUBSYSTEM=0xa']
--+        efi_ldflags += ['-Wl,--no-warn-rwx-segments']
--         efi_format = ['-O', 'binary']
-- else
--         efi_ldflags += ['-pie']
--@@ -280,6 +281,7 @@ if efi_arch[1] == 'arm'
--         # is because libgcc is not compiled with -fshort-wchar, but it does not
--         # have any occurrences of wchar_t in its sources or the documentation, so
--         # it is safe to assume that we can ignore this warning.
--+        efi_ldflags += ['-Wl,--no-warn-rwx-segments']
--         efi_ldflags += ['-Wl,--no-wchar-size-warning']
-- endif
--
 diff --git a/debian/patches/meson-install-libsystemd-shared-into-rootpkglibdir.patch b/debian/patches/meson-install-libsystemd-shared-into-rootpkglibdir.patch
 new file mode 100644
 index 0000000..91a4e3a
 --- /dev/null
 +++ b/debian/patches/meson-install-libsystemd-shared-into-rootpkglibdir.patch
@@ -0,0 +1,1218 @@
++From: Michael Biebl <biebl@debian.org>
++Date: Wed, 1 Jun 2022 08:23:02 +0200
++Subject: meson: install libsystemd-shared into rootpkglibdir
++
++Introduce rootpkglibdir for installing libsystemd-{shared,core}.so.
++The benefit over using rootlibexecdir is that this path can be
++multiarch aware, i.e. this path can be architecture qualified.
++
++This is something we'd like to make use of in Debian/Ubuntu to make
++libsystemd-shared co-installable, e.g. for i386 the path would be
++/usr/lib/i386-linux-gnu/systemd/libsystemd-shared-*.so and for amd64
++/usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-*.so.
++This will allow for example to install and run systemd-boot/i386 on an
++amd64 host. It also simplifies/enables cross-building/bootstrapping.
++
++For more infos about Multi-Arch see https://wiki.debian.org/Multiarch.
++
++See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990547
++
++(cherry picked from commit 5fb225615bf751b97644bed7aae44f69ba03cc84)
++---
++ meson.build              | 249 ++++++++++++++++++++++++-----------------------
++ src/core/meson.build     |   2 +-
++ src/nspawn/nspawn-util.c |   5 +-
++ src/shared/meson.build   |   2 +-
++ src/udev/meson.build     |   2 +-
++ 5 files changed, 132 insertions(+), 128 deletions(-)
++
++diff --git a/meson.build b/meson.build
++index ecc5533..f73c7ff 100644
++--- a/meson.build
+++++ b/meson.build
++@@ -146,6 +146,7 @@ rootlibdir = get_option('rootlibdir')
++ if rootlibdir == ''
++         rootlibdir = rootprefixdir / libdir.split('/')[-1]
++ endif
+++rootpkglibdir = rootlibdir / 'systemd'
++
++ install_sysconfdir = get_option('install-sysconfdir') != 'false'
++ install_sysconfdir_samples = get_option('install-sysconfdir') == 'true'
++@@ -1994,7 +1995,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
++                                         tpm2,
++                                         versiondep],
++                         link_depends : cryptsetup_token_sym,
++-                        install_rpath : rootlibexecdir,
+++                        install_rpath : rootpkglibdir,
++                         install : true,
++                         install_dir : libcryptsetup_plugins_dir)
++         endif
++@@ -2012,7 +2013,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
++                                         libfido2,
++                                         versiondep],
++                         link_depends : cryptsetup_token_sym,
++-                        install_rpath : rootlibexecdir,
+++                        install_rpath : rootpkglibdir,
++                         install : true,
++                         install_dir : libcryptsetup_plugins_dir)
++         endif
++@@ -2030,7 +2031,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
++                                         libp11kit,
++                                         versiondep],
++                         link_depends : cryptsetup_token_sym,
++-                        install_rpath : rootlibexecdir,
+++                        install_rpath : rootpkglibdir,
++                         install : true,
++                         install_dir : libcryptsetup_plugins_dir)
++         endif
++@@ -2165,7 +2166,7 @@ exe = executable(
++                      libshared],
++         dependencies : [versiondep,
++                         libseccomp],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++ dbus_programs += exe
++@@ -2183,7 +2184,7 @@ public_programs += executable(
++                      libshared],
++         dependencies : [versiondep,
++                         libseccomp],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : conf.get('ENABLE_ANALYZE') == 1)
++
++ executable(
++@@ -2197,7 +2198,7 @@ executable(
++                         liblz4,
++                         libselinux,
++                         libzstd],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -2208,7 +2209,7 @@ public_programs += executable(
++         link_with : [libjournal_core,
++                      libshared],
++         dependencies : [threads],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -2222,7 +2223,7 @@ public_programs += executable(
++                         liblz4,
++                         libzstd,
++                         libdl],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -2231,7 +2232,7 @@ executable(
++         'src/getty-generator/getty-generator.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : systemgeneratordir)
++
++@@ -2240,7 +2241,7 @@ executable(
++         'src/debug-generator/debug-generator.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : systemgeneratordir)
++
++@@ -2249,7 +2250,7 @@ executable(
++         'src/run-generator/run-generator.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : systemgeneratordir)
++
++@@ -2258,7 +2259,7 @@ exe = executable(
++         'src/fstab-generator/fstab-generator.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : systemgeneratordir)
++
++@@ -2276,7 +2277,7 @@ if conf.get('ENABLE_ENVIRONMENT_D') == 1
++                 'src/environment-d-generator/environment-d-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : userenvgeneratordir)
++
++@@ -2291,7 +2292,7 @@ if conf.get('ENABLE_HIBERNATE') == 1
++                 'src/hibernate-resume/hibernate-resume-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++
++@@ -2300,7 +2301,7 @@ if conf.get('ENABLE_HIBERNATE') == 1
++                 'src/hibernate-resume/hibernate-resume.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2312,7 +2313,7 @@ if conf.get('HAVE_BLKID') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : libblkid,
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++
++@@ -2321,7 +2322,7 @@ if conf.get('HAVE_BLKID') == 1
++                 'src/dissect/dissect.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -2334,7 +2335,7 @@ if conf.get('ENABLE_RESOLVE') == 1
++                              libbasic_gcrypt,
++                              libsystemd_resolve_core],
++                 dependencies : systemd_resolved_dependencies,
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2349,7 +2350,7 @@ if conf.get('ENABLE_RESOLVE') == 1
++                                 lib_openssl_or_gcrypt,
++                                 libm,
++                                 libidn],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++
++         meson.add_install_script(meson_make_symlink,
++@@ -2370,7 +2371,7 @@ if conf.get('ENABLE_LOGIND') == 1
++                              libshared],
++                 dependencies : [threads,
++                                 libacl],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2383,7 +2384,7 @@ if conf.get('ENABLE_LOGIND') == 1
++                                 liblz4,
++                                 libxz,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++
++@@ -2392,7 +2393,7 @@ if conf.get('ENABLE_LOGIND') == 1
++                 'src/login/inhibit.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++
++@@ -2429,7 +2430,7 @@ if conf.get('ENABLE_LOGIND') == 1
++                 user_runtime_dir_sources,
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2440,7 +2441,7 @@ if conf.get('HAVE_PAM') == 1
++                 'src/user-sessions/user-sessions.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2458,7 +2459,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
++                 include_directories : includes,
++                 link_with : [boot_link_with],
++                 dependencies : [libblkid],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++
++         public_programs += executable(
++@@ -2467,7 +2468,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
++                 include_directories : includes,
++                 link_with : [boot_link_with],
++                 dependencies : [libblkid],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2476,7 +2477,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
++                 'src/boot/bless-boot-generator.c',
++                 include_directories : includes,
++                 link_with : [boot_link_with],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++ endif
++@@ -2487,7 +2488,7 @@ executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [libblkid],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -2497,7 +2498,7 @@ public_programs += executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [threads],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ systemctl = executable(
++@@ -2511,7 +2512,7 @@ systemctl = executable(
++                         libxz,
++                         liblz4,
++                         libzstd],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++ public_programs += systemctl
++@@ -2523,7 +2524,7 @@ if conf.get('ENABLE_PORTABLED') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads, libselinux],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2533,7 +2534,7 @@ if conf.get('ENABLE_PORTABLED') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++ endif
++@@ -2544,7 +2545,7 @@ if conf.get('ENABLE_SYSEXT') == 1
++                 systemd_sysext_sources,
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++ endif
++@@ -2556,7 +2557,7 @@ if conf.get('ENABLE_USERDB') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2566,7 +2567,7 @@ if conf.get('ENABLE_USERDB') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2576,7 +2577,7 @@ if conf.get('ENABLE_USERDB') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -2592,7 +2593,7 @@ if conf.get('ENABLE_HOMED') == 1
++                                 libopenssl,
++                                 libfdisk,
++                                 libp11kit],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2605,7 +2606,7 @@ if conf.get('ENABLE_HOMED') == 1
++                                 libcrypt,
++                                 libopenssl,
++                                 libm],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2619,7 +2620,7 @@ if conf.get('ENABLE_HOMED') == 1
++                                 libopenssl,
++                                 libp11kit,
++                                 libdl],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++
++         if conf.get('HAVE_PAM') == 1
++@@ -2661,7 +2662,7 @@ if conf.get('ENABLE_BACKLIGHT') == 1
++                 'src/backlight/backlight.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2672,7 +2673,7 @@ if conf.get('ENABLE_RFKILL') == 1
++                 'src/rfkill/rfkill.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2682,7 +2683,7 @@ executable(
++         'src/system-update-generator/system-update-generator.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : systemgeneratordir)
++
++@@ -2694,7 +2695,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 link_with : [libshared],
++                 dependencies : [libcryptsetup,
++                                 libp11kit],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2703,7 +2704,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 'src/cryptsetup/cryptsetup-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++
++@@ -2713,7 +2714,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [libcryptsetup],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2722,7 +2723,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 'src/veritysetup/veritysetup-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++
++@@ -2735,7 +2736,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                                 libdl,
++                                 libopenssl,
++                                 libp11kit],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++
++         executable(
++@@ -2744,7 +2745,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [libcryptsetup],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2753,7 +2754,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
++                 ['src/integritysetup/integritysetup-generator.c', 'src/integritysetup/integrity-util.c'],
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++ endif
++@@ -2764,7 +2765,7 @@ if conf.get('HAVE_SYSV_COMPAT') == 1
++                 'src/sysv-generator/sysv-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++
++@@ -2780,7 +2781,7 @@ if conf.get('HAVE_SYSV_COMPAT') == 1
++                 'src/rc-local-generator/rc-local-generator.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : systemgeneratordir)
++ endif
++@@ -2791,7 +2792,7 @@ if conf.get('ENABLE_XDG_AUTOSTART') == 1
++                 systemd_xdg_autostart_generator_sources,
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : usergeneratordir)
++
++@@ -2800,7 +2801,7 @@ if conf.get('ENABLE_XDG_AUTOSTART') == 1
++                 'src/xdg-autostart-generator/xdg-autostart-condition.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2811,7 +2812,7 @@ if conf.get('ENABLE_HOSTNAMED') == 1
++                 'src/hostname/hostnamed.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2820,7 +2821,7 @@ if conf.get('ENABLE_HOSTNAMED') == 1
++                 'src/hostname/hostnamectl.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -2839,7 +2840,7 @@ if conf.get('ENABLE_LOCALED') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : deps,
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2848,7 +2849,7 @@ if conf.get('ENABLE_LOCALED') == 1
++                 localectl_sources,
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -2858,7 +2859,7 @@ if conf.get('ENABLE_TIMEDATED') == 1
++                 'src/timedate/timedated.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2868,7 +2869,7 @@ if conf.get('ENABLE_TIMEDATECTL') == 1
++                 'timedatectl',
++                 'src/timedate/timedatectl.c',
++                 include_directories : includes,
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 link_with : [libshared],
++                 dependencies : [libm],
++                 install : true)
++@@ -2882,7 +2883,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
++                 link_with : [libtimesyncd_core],
++                 dependencies : [threads,
++                                 libm],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2891,7 +2892,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
++                 'src/timesync/wait-sync.c',
++                 include_directories : includes,
++                 link_with : [libtimesyncd_core],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -2903,7 +2904,7 @@ if conf.get('ENABLE_MACHINED') == 1
++                 include_directories : includes,
++                 link_with : [libmachine_core,
++                              libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2916,7 +2917,7 @@ if conf.get('ENABLE_MACHINED') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++ endif
++@@ -2928,7 +2929,7 @@ if conf.get('ENABLE_IMPORTD') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2944,7 +2945,7 @@ if conf.get('ENABLE_IMPORTD') == 1
++                                 libz,
++                                 libbzip2,
++                                 libxz],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2958,7 +2959,7 @@ if conf.get('ENABLE_IMPORTD') == 1
++                                 libz,
++                                 libbzip2,
++                                 libxz],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2968,7 +2969,7 @@ if conf.get('ENABLE_IMPORTD') == 1
++                 include_directories : includes,
++                 link_with : [libshared,
++                              lib_import_common],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -2982,7 +2983,7 @@ if conf.get('ENABLE_IMPORTD') == 1
++                                 libz,
++                                 libbzip2,
++                                 libxz],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3002,7 +3003,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_LIBCURL') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3020,7 +3021,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3035,7 +3036,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3052,7 +3053,7 @@ if conf.get('ENABLE_COREDUMP') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3066,7 +3067,7 @@ if conf.get('ENABLE_COREDUMP') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -3081,7 +3082,7 @@ if conf.get('ENABLE_PSTORE') == 1
++                                 libxz,
++                                 liblz4,
++                                 libzstd],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3092,7 +3093,7 @@ if conf.get('ENABLE_OOMD') == 1
++                    include_directories : includes,
++                    link_with : [libshared],
++                    dependencies : [],
++-                   install_rpath : rootlibexecdir,
+++                   install_rpath : rootpkglibdir,
++                    install : true,
++                    install_dir : rootlibexecdir)
++
++@@ -3102,7 +3103,7 @@ if conf.get('ENABLE_OOMD') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true)
++ endif
++
++@@ -3112,7 +3113,7 @@ if conf.get('ENABLE_BINFMT') == 1
++                 'src/binfmt/binfmt.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3134,7 +3135,7 @@ if conf.get('ENABLE_SYSUPDATE') == 1
++                                 libblkid,
++                                 libfdisk,
++                                 libopenssl],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++         public_programs += exe
++@@ -3146,7 +3147,7 @@ if conf.get('ENABLE_VCONSOLE') == 1
++                 'src/vconsole/vconsole-setup.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3157,7 +3158,7 @@ if conf.get('ENABLE_RANDOMSEED') == 1
++                 'src/random-seed/random-seed.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3169,7 +3170,7 @@ if conf.get('ENABLE_FIRSTBOOT') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [libcrypt],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++ endif
++@@ -3179,7 +3180,7 @@ executable(
++         'src/remount-fs/remount-fs.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3188,7 +3189,7 @@ executable(
++         'src/machine-id-setup/machine-id-setup-main.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3197,7 +3198,7 @@ executable(
++         'src/fsck/fsck.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3205,7 +3206,7 @@ executable('systemd-growfs',
++            'src/partition/growfs.c',
++            include_directories : includes,
++            link_with : [libshared],
++-           install_rpath : rootlibexecdir,
+++           install_rpath : rootpkglibdir,
++            install : true,
++            install_dir : rootlibexecdir)
++
++@@ -3214,7 +3215,7 @@ executable(
++         'src/partition/makefs.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3223,7 +3224,7 @@ executable(
++         'src/sleep/sleep.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3237,7 +3238,7 @@ public_programs += executable(
++         'src/sysctl/sysctl.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3246,7 +3247,7 @@ executable(
++         'src/ac-power/ac-power.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3255,7 +3256,7 @@ public_programs += executable(
++         'src/detect-virt/detect-virt.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3263,7 +3264,7 @@ public_programs += executable(
++         'src/delta/delta.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3271,7 +3272,7 @@ public_programs += executable(
++         'src/escape/escape.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3280,7 +3281,7 @@ public_programs += executable(
++         'src/notify/notify.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3291,7 +3292,7 @@ public_programs += executable(
++         link_with : [libshared],
++         dependencies : [threads,
++                         libopenssl],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3300,7 +3301,7 @@ executable(
++         'src/volatile-root/volatile-root.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : conf.get('ENABLE_INITRD') == 1,
++         install_dir : rootlibexecdir)
++
++@@ -3309,7 +3310,7 @@ executable(
++         'src/cgroups-agent/cgroups-agent.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3318,7 +3319,7 @@ systemd_id128 = executable(
++         'src/id128/id128.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++ public_programs += systemd_id128
++
++@@ -3335,7 +3336,7 @@ public_programs += executable(
++         'src/path/path.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3343,7 +3344,7 @@ public_programs += executable(
++         'src/ask-password/ask-password.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3352,7 +3353,7 @@ executable(
++         'src/reply-password/reply-password.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3361,7 +3362,7 @@ public_programs += executable(
++         'src/tty-ask-password-agent/tty-ask-password-agent.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootbindir)
++
++@@ -3370,7 +3371,7 @@ public_programs += executable(
++         'src/cgls/cgls.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3378,7 +3379,7 @@ public_programs += executable(
++         'src/cgtop/cgtop.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ executable(
++@@ -3386,7 +3387,7 @@ executable(
++         'src/initctl/initctl.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : (conf.get('HAVE_SYSV_COMPAT') == 1),
++         install_dir : rootlibexecdir)
++
++@@ -3396,7 +3397,7 @@ public_programs += executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies: [libmount],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ meson.add_install_script(meson_make_symlink,
++@@ -3407,7 +3408,7 @@ public_programs += executable(
++         'src/run/run.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3416,7 +3417,7 @@ public_programs += executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [versiondep],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ public_programs += executable(
++@@ -3425,7 +3426,7 @@ public_programs += executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [versiondep],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ if enable_sysusers
++@@ -3434,7 +3435,7 @@ if enable_sysusers
++                 'src/sysusers/sysusers.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++         public_programs += exe
++@@ -3476,7 +3477,7 @@ if conf.get('ENABLE_TMPFILES') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [libacl],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++         public_programs += exe
++@@ -3538,7 +3539,7 @@ if conf.get('ENABLE_QUOTACHECK') == 1
++                 'src/quotacheck/quotacheck.c',
++                 include_directories : includes,
++                 link_with : [libshared],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++ endif
++@@ -3549,7 +3550,7 @@ public_programs += executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [threads],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3578,7 +3579,7 @@ if conf.get('ENABLE_REPART') == 1
++                 dependencies : [threads,
++                                 libblkid,
++                                 libfdisk],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++         public_programs += exe
++@@ -3596,7 +3597,7 @@ executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [libmount],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3605,7 +3606,7 @@ executable(
++         'src/update-done/update-done.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3615,7 +3616,7 @@ executable(
++         include_directories : includes,
++         link_with : [libshared],
++         dependencies : [libaudit],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : (conf.get('ENABLE_UTMP') == 1),
++         install_dir : rootlibexecdir)
++
++@@ -3626,7 +3627,7 @@ if conf.get('HAVE_KMOD') == 1
++                 include_directories : includes,
++                 link_with : [libshared],
++                 dependencies : [libkmod],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3646,7 +3647,7 @@ public_programs += executable(
++                      libshared],
++         dependencies : [libblkid,
++                         libseccomp],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true)
++
++ if conf.get('ENABLE_NETWORKD') == 1
++@@ -3658,7 +3659,7 @@ if conf.get('ENABLE_NETWORKD') == 1
++                              libsystemd_network,
++                              networkd_link_with],
++                 dependencies : [threads],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3667,7 +3668,7 @@ if conf.get('ENABLE_NETWORKD') == 1
++                 systemd_networkd_wait_online_sources,
++                 include_directories : includes,
++                 link_with : [networkd_link_with],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootlibexecdir)
++
++@@ -3677,7 +3678,7 @@ if conf.get('ENABLE_NETWORKD') == 1
++                 include_directories : libsystemd_network_includes,
++                 link_with : [libsystemd_network,
++                              networkd_link_with],
++-                install_rpath : rootlibexecdir,
+++                install_rpath : rootpkglibdir,
++                 install : true,
++                 install_dir : rootbindir)
++ endif
++@@ -3687,7 +3688,7 @@ exe = executable(
++         network_generator_sources,
++         include_directories : includes,
++         link_with : [networkd_link_with],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3704,7 +3705,7 @@ executable(
++         'src/sulogin-shell/sulogin-shell.c',
++         include_directories : includes,
++         link_with : [libshared],
++-        install_rpath : rootlibexecdir,
+++        install_rpath : rootpkglibdir,
++         install : true,
++         install_dir : rootlibexecdir)
++
++@@ -3767,7 +3768,7 @@ foreach tuple : tests
++                                         dependencies],
++                         c_args : defs,
++                         build_by_default : want_tests != 'false',
++-                        install_rpath : rootlibexecdir,
+++                        install_rpath : rootpkglibdir,
++                         install : install_tests,
++                         install_dir : testsdir / type,
++                         link_depends : runtest_env)
++diff --git a/src/core/meson.build b/src/core/meson.build
++index 9efa542..162090a 100644
++--- a/src/core/meson.build
+++++ b/src/core/meson.build
++@@ -202,7 +202,7 @@ libcore = shared_library(
++                         libblkid,
++                         libacl],
++         install : true,
++-        install_dir : rootlibexecdir)
+++        install_dir : rootpkglibdir)
++
++ core_includes = [includes, include_directories('.')]
++
++diff --git a/src/nspawn/nspawn-util.c b/src/nspawn/nspawn-util.c
++index 402554f..830ac39 100644
++--- a/src/nspawn/nspawn-util.c
+++++ b/src/nspawn/nspawn-util.c
++@@ -20,9 +20,12 @@ int systemd_installation_has_version(const char *root, const char *minimal_versi
++                        /* /lib works for systems without usr-merge, and for systems with a sane
++                         * usr-merge, where /lib is a symlink to /usr/lib. /usr/lib is necessary
++                         * for Gentoo which does a merge without making /lib a symlink.
+++                        * Also support multiarch paths von Debian/Ubuntu; *-linux-* is a small
+++                        * optimization based on the naming scheme of existing multiarch tuples.
++                         */
++                        "/lib/systemd/libsystemd-shared-*.so",
++                        "/lib64/systemd/libsystemd-shared-*.so",
+++                       "/usr/lib/*-linux-*/systemd/libsystemd-shared-*.so",
++                        "/usr/lib/systemd/libsystemd-shared-*.so",
++                        "/usr/lib64/systemd/libsystemd-shared-*.so") {
++
++@@ -47,7 +50,7 @@ int systemd_installation_has_version(const char *root, const char *minimal_versi
++                         /* This is most likely to run only once, hence let's not optimize anything. */
++                         char *t, *t2;
++
++-                        t = startswith(*name, path);
+++                        t = startswith(basename(*name), "libsystemd-shared-");
++                         if (!t)
++                                 continue;
++
++diff --git a/src/shared/meson.build b/src/shared/meson.build
++index 1d4e4a0..363693d 100644
++--- a/src/shared/meson.build
+++++ b/src/shared/meson.build
++@@ -483,4 +483,4 @@ libshared = shared_library(
++                       libsystemd_static],
++         dependencies : libshared_deps,
++         install : true,
++-        install_dir : rootlibexecdir)
+++        install_dir : rootpkglibdir)
++diff --git a/src/udev/meson.build b/src/udev/meson.build
++index 79964a7..c6711be 100644
++--- a/src/udev/meson.build
+++++ b/src/udev/meson.build
++@@ -100,7 +100,7 @@ link_config_gperf_c = custom_target(
++
++ if get_option('link-udev-shared')
++         udev_link_with = [libshared]
++-        udev_rpath = rootlibexecdir
+++        udev_rpath = rootpkglibdir
++ else
++         udev_link_with = [libshared_static,
++                           libsystemd_static]
 diff --git a/debian/patches/series b/debian/patches/series
 index 4b00a36..7c6674d 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1,5 +1,7 @@
  Do-not-require-a-valid-version-when-parsing-sd-boot-loade.patch
--sha256-fix-compilation-on-efi-ia32.patch
++Move-homectl-and-userdbctl-to-bindir.patch
++meson-install-libsystemd-shared-into-rootpkglibdir.patch
++shellcheck-clean-kernel-install-again.patch
  debian/Use-Debian-specific-config-files.patch
  debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
  debian/Make-run-lock-tmpfs-an-API-fs.patch
@@ -41,13 +43,10 @@ lp1950794-Revert-sd-dhcp-do-not-use-detect_container-to-guess-.patch
 -Revert-tests-add-test-case-for-UMask-BindPaths-combi.patch
  deny-list-TEST-55-OOMD-on-ppc64el.patch
  debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
--lp1979215-boot-efi-missing-.note.GNU-stack-section-implies-executab.patch
--lp1979236-boot-efi-set-no-warn-rwx-segments-on-arm.patch
  lp1978079-pstore-Run-after-modules-are-loaded.patch
  sd-hwdb-add-sd_hwdb_new_from_path.patch
  hwdb-implement-root-option-for-systemd-hwdb-query.patch
  test-increase-QEMU_MEM-for-some-tests.patch
  test-copy-libgcc_s.so.1-to-TPM2-test-image-on-Debian-like.patch
--units-remove-the-restart-limit-on-the-modprobe-.service.patch
  lp1981042-core-firstboot-workaround-timezone-issues-caused-by-Ubunt.patch
--glibc-Remove-include-linux-fs.h-to-resolve-fsconfig_comma.patch
++test-denylist-TEST-29-PORTABLE-again.patch
 diff --git a/debian/patches/sha256-fix-compilation-on-efi-ia32.patch b/debian/patches/sha256-fix-compilation-on-efi-ia32.patch
 deleted file mode 100644
 index 9d0494a..0000000
 --- a/debian/patches/sha256-fix-compilation-on-efi-ia32.patch
 +++ /dev/null
@@ -1,39 +0,0 @@
--From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
--Date: Fri, 3 Jun 2022 09:32:02 +0200
--Subject: sha256: fix compilation on efi-ia32
--MIME-Version: 1.0
--Content-Type: text/plain; charset="utf-8"
--Content-Transfer-Encoding: 8bit
--
--/usr/bin/gcc -c ../src/fundamental/sha256.c -o src/boot/efi/sha256.c.o -Wno-format-signedness -Wno-missing-field-initializers -Wno-unused-parameter -Wdate-time -Wendif-labels -Werror=format=2 -Werror=implicit-function-declaration -Werror=incompatible-pointer-types -Werror=int-conversion -Werror=overflow -Werror=override-init -Werror=return-type -Werror=shift-count-overflow -Werror=shift-overflow=2 -Werror=undef -Wfloat-equal -Wimplicit-fallthrough=5 -Winit-self -Wlogical-op -Wmissing-include-dirs -Wmissing-noreturn -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wshadow -Wstrict-aliasing=2 -Wstrict-prototypes -Wsuggest-attribute=noreturn -Wunused-function -Wwrite-strings -Wno-unused-result -fno-stack-protector -fno-strict-aliasing -fpic -fwide-exec-charset=UCS2 -Wall -Wextra -Wsign-compare -nostdlib -std=gnu99 -ffreestanding -fshort-wchar -fvisibility=hidden -isystem /usr/include/efi -isystem /usr/include/efi/ia32 -I /builddir/build/BUILD/systemd-stable-250.7/src/fundamental -DSD_BOOT -DGNU_EFI_USE_MS_ABI -include src/boot/efi/efi_config.h -include version.h -mno-sse -mno-mmx -flto -O2 -flto=auto
--../src/fundamental/sha256.c: In function ‘sha256_finish_ctx’:
--../src/fundamental/sha256.c:61:25: error: ‘false’ undeclared (first use in this function)
--   61 | # define UNALIGNED_P(p) false
--      |                         ^~~~~
--../src/fundamental/sha256.c:136:21: note: in expansion of macro ‘UNALIGNED_P’
--  136 |                 if (UNALIGNED_P(resbuf))
--      |                     ^~~~~~~~~~~
--../src/fundamental/sha256.c:32:1: note: ‘false’ is defined in header ‘<stdbool.h>’; did you forget to ‘#include <stdbool.h>’?
--   31 | #include "sha256.h"
--  +++ |+#include <stdbool.h>
--   32 |
--...
--
--(cherry picked from commit 38c87ca2ab96d085158485ecfc46c7cb6af0f166)
-----
-- src/fundamental/sha256.c | 2 +-
-- 1 file changed, 1 insertion(+), 1 deletion(-)
--
--diff --git a/src/fundamental/sha256.c b/src/fundamental/sha256.c
--index cd16aec..58b1a80 100644
----- a/src/fundamental/sha256.c
--+++ b/src/fundamental/sha256.c
--@@ -58,7 +58,7 @@
-- #  define UNALIGNED_P(p) (((size_t) p) % sizeof(uint32_t) != 0)
-- # endif
-- #else
---# define UNALIGNED_P(p) false
--+# define UNALIGNED_P(p) sd_false
-- #endif
--
-- /* This array contains the bytes used to pad the buffer to the next
 diff --git a/debian/patches/shellcheck-clean-kernel-install-again.patch b/debian/patches/shellcheck-clean-kernel-install-again.patch
 new file mode 100644
 index 0000000..ff3d498
 --- /dev/null
 +++ b/debian/patches/shellcheck-clean-kernel-install-again.patch
@@ -0,0 +1,46 @@
++From: =?utf-8?b?0L3QsNCx?= <nabijaczleweli@nabijaczleweli.xyz>
++Date: Sun, 22 May 2022 22:09:23 +0200
++Subject: shellcheck-clean kernel-install again
++
++(cherry picked from commit 35339eb88c72f30204589101765a0bca5424e253)
++---
++ src/kernel-install/kernel-install.in | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in
++index cf1b81b..c6965ee 100755
++--- a/src/kernel-install/kernel-install.in
+++++ b/src/kernel-install/kernel-install.in
++@@ -115,6 +115,7 @@ fi
++
++ if [ -n "$install_conf" ]; then
++     [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "Reading $install_conf…"
+++    # shellcheck source=/dev/null
++     . "$install_conf"
++     # FIXME: This may override configuration in environment variables, e.g. $BOOT_ROOT.
++ fi
++@@ -133,6 +134,7 @@ fi
++ # generated one. If the user configured an explicit machine ID to use in
++ # /etc/machine-info to use for our purpose, we'll use that instead (for
++ # compatibility).
+++# shellcheck source=/dev/null
++ if [ -z "$MACHINE_ID" ] && [ -r /etc/machine-info ] && . /etc/machine-info && MACHINE_ID="$KERNEL_INSTALL_MACHINE_ID"; then
++     [ -n "$MACHINE_ID" ] && [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \
++         echo "machine-id $MACHINE_ID acquired from /etc/machine-info"
++@@ -160,6 +162,7 @@ if [ -z "$ENTRY_TOKEN" ]; then
++     # the IMAGE_ID= and ID= fields from /etc/os-release and finally the fixed
++     # string "Default"
++     ENTRY_TOKEN_SEARCH="$MACHINE_ID"
+++    # shellcheck source=/dev/null
++     [ -r /etc/os-release ] && . /etc/os-release
++     [ -n "$IMAGE_ID" ] && ENTRY_TOKEN_SEARCH="$ENTRY_TOKEN_SEARCH $IMAGE_ID"
++     [ -n "$ID" ] && ENTRY_TOKEN_SEARCH="$ENTRY_TOKEN_SEARCH $ID"
++@@ -294,7 +297,7 @@ PLUGINS="$(
++ IFS="
++ "
++
++-[ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo -e "Plugin files:\n$PLUGINS"
+++[ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && printf '%s\n' "Plugin files:" "$PLUGINS"
++
++ case "$COMMAND" in
++     add)
 diff --git a/debian/patches/test-denylist-TEST-29-PORTABLE-again.patch b/debian/patches/test-denylist-TEST-29-PORTABLE-again.patch
 new file mode 100644
 index 0000000..5a97810
 --- /dev/null
 +++ b/debian/patches/test-denylist-TEST-29-PORTABLE-again.patch
@@ -0,0 +1,18 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Tue, 16 Aug 2022 17:38:36 -0400
++Subject: test: denylist TEST-29-PORTABLE again
++
++Bug: https://github.com/systemd/systemd/issues/24147
++
++---
++ test/TEST-29-PORTABLE/deny-list-upstream-ci | 1 +
++ 1 file changed, 1 insertion(+)
++ create mode 100644 test/TEST-29-PORTABLE/deny-list-upstream-ci
++
++diff --git a/test/TEST-29-PORTABLE/deny-list-upstream-ci b/test/TEST-29-PORTABLE/deny-list-upstream-ci
++new file mode 100644
++index 0000000..89e1567
++--- /dev/null
+++++ b/test/TEST-29-PORTABLE/deny-list-upstream-ci
++@@ -0,0 +1 @@
+++# Flaky test tracked in https://github.com/systemd/systemd/issues/24147
 diff --git a/debian/patches/units-remove-the-restart-limit-on-the-modprobe-.service.patch b/debian/patches/units-remove-the-restart-limit-on-the-modprobe-.service.patch
 deleted file mode 100644
 index f8668f9..0000000
 --- a/debian/patches/units-remove-the-restart-limit-on-the-modprobe-.service.patch
 +++ /dev/null
@@ -1,33 +0,0 @@
--From: Alban Bedel <alban.bedel@aerq.com>
--Date: Wed, 15 Jun 2022 13:12:46 +0200
--Subject: units: remove the restart limit on the modprobe@.service
--
--They are various cases where the same module might be repeatedly
--loaded in a short time frame, for example if a service depending on a
--module keep restarting, or if many instances of such service get
--started at the same time. If this happend the modprobe@.service
--instance will be marked as failed because it hit the restart limit.
--
--Overall it doesn't seems to make much sense to have a restart limit on
--the modprobe service so just disable it.
--
--Fixes: #23742
-----
--Origin: upstream, https://github.com/systemd/systemd/commit/9625350e5381a68c1179ae4581e7586c206663e1
--Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1982462
-----
-- units/modprobe@.service | 1 +
-- 1 file changed, 1 insertion(+)
--
--diff --git a/units/modprobe@.service b/units/modprobe@.service
--index cf8baf6..85a2c08 100644
----- a/units/modprobe@.service
--+++ b/units/modprobe@.service
--@@ -13,6 +13,7 @@ DefaultDependencies=no
-- Before=sysinit.target
-- Documentation=man:modprobe(8)
-- ConditionCapability=CAP_SYS_MODULE
--+StartLimitIntervalSec=0
--
-- [Service]
-- Type=oneshot
 diff --git a/debian/rules b/debian/rules
 index 957f0c3..e47607a 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -75,8 +75,6 @@ CONFFLAGS = \
  	-Dsysupdate=false \
  	-Dxkbcommon=false \
  	-Dwheel-group=false \
--	-Duserdb=false \
--	-Dhomed=false \
  	-Dpwquality=false \
  	-Dp11kit=false \
  	-Doomd=true \
@@ -103,7 +101,7 @@ CONFFLAGS = \
  	-Dinstall-tests=$(if $(filter noinsttest,$(DEB_BUILD_PROFILES)),false,true) \
  	-Dlibcryptsetup-plugins=false \
  	-Defi=true \
--	-Dman=true \
++	-Dman=$(if $(filter nodoc,$(DEB_BUILD_PROFILES)),false,true) \
  	-Dtranslations=true \
  	-Dnss-myhostname=true \
  	-Dnss-mymachines=true \
@@ -129,6 +127,8 @@ CONFFLAGS += \
  	-Ddns-over-tls=openssl \
  	-Dlibfido2=true \
  	-Dtpm2=$(if $(filter i386,$(DEB_HOST_ARCH)),false,true) \
++	-Dhomed=true \
++	-Duserdb=true \
  	-Dpcre2=true
  else
  CONFFLAGS += \
@@ -145,41 +145,46 @@ CONFFLAGS += \
  	-Dopenssl=false \
  	-Dlibfido2=false \
  	-Dtpm2=false \
++	-Dhomed=false \
++	-Duserdb=false \
  	-Dpcre2=false
  endif
  override_dh_auto_configure:
--	dh_auto_configure --builddirectory=build-deb \
++	dh_auto_configure \
  		-- $(CONFFLAGS) $(CONFFLAGS_DISTRO) $(CONFFLAGS_UPSTREAM)
--override_dh_auto_build:
++execute_before_dh_auto_build:
  	# blhc false positives: C++ fuzz test program, cc -E flags listing, PE-COFF EFI binaries
  	@echo 'blhc: ignore-line-regexp: .* -o test-bus-vtable-cc.*'
  	@echo 'blhc: ignore-line-regexp: .*cc -E.*'
  	@echo 'blhc: ignore-line-regexp: .* -o src/boot/efi.*'
--	dh_auto_build --builddirectory=build-deb
++
++execute_after_dh_auto_build:
  	# generate POT file for translators
--	ninja -C build-deb/ systemd-pot
++	ninja -C obj-$(DEB_HOST_GNU_TYPE) systemd-pot
--override_dh_auto_install:
--	dh_auto_install --builddirectory=build-deb
++execute_after_dh_auto_install:
  	# fix paths in manpages; manually check the remaining /usr occurrences
  	# occasionally, with filtering out paths which are known to be in /usr:
  	# grep -r /usr debian/tmp/usr/share/man/|egrep -v '/usr/local|os.*release|factory|zoneinfo|tmpfiles|kernel|foo|machines|sysctl|dbus|include|binfmt'
--	find debian/tmp/usr/share/man/ -type f | xargs sed -ri 's_/usr(/lib/systemd/system|/lib/systemd/network|/lib/udev|/lib[^/]|/lib/[^a-z])_\1_g'
++	if test -d debian/tmp/usr/share/man; then \
++		find debian/tmp/usr/share/man/ -type f | xargs sed -ri 's_/usr(/lib/systemd/system|/lib/systemd/network|/lib/udev|/lib[^/]|/lib/[^a-z])_\1_g'; \
++	fi
--override_dh_auto_clean:
++execute_before_dh_auto_clean:
  ifneq (, $(TEST_UPSTREAM))
  	debian/extra/checkout-upstream
  endif
--	dh_auto_clean --builddirectory=build-deb
++
++execute_after_dh_auto_clean:
  	rm -f debian/shlibs.local
  	# remove Python byte code files
  	rm -rf tools/__pycache__/
  	rm -rf tools/chromiumos/__pycache__/
  	rm -f po/systemd.pot
--override_dh_install:
++execute_before_dh_install:
  	# remove unnecessary / unused files
  	rm -rf debian/tmp/usr/share/doc/systemd/LICENSES/
  	rm -f debian/tmp/usr/share/doc/systemd/LICENSE.*
@@ -202,21 +207,14 @@ override_dh_install:
  	rm -rf debian/tmp/usr/share/factory/
  	# replace upstream sysusers.d/basic.conf with proper users for Debian
  	debian/extra/make-sysusers-basic > debian/tmp/usr/lib/sysusers.d/basic.conf
--	# remove resolvconf compat symlink
--	rm -f debian/tmp/sbin/resolvconf
  	# remove obsolete compat symlink
  	rm -f debian/tmp/usr/bin/systemd-resolve
--	# do not create a potentially broken /etc/resolv.conf symlink
--	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007018
--	rm -f debian/tmp/usr/lib/tmpfiles.d/systemd-resolve.conf
--
--	dh_install
--	# install standalone binaries and manpages
++execute_after_dh_install:
++	# install standalone binaries
  	for pkg in sysusers tmpfiles; do \
--		mkdir -p debian/systemd-standalone-$$pkg/bin debian/systemd-standalone-$$pkg/usr/share/man/man8; \
++		mkdir -p debian/systemd-standalone-$$pkg/bin; \
  		mv debian/systemd/bin/systemd-$$pkg.standalone debian/systemd-standalone-$$pkg/bin/systemd-$$pkg; \
--		cp debian/tmp/usr/share/man/man8/systemd-$$pkg.8 debian/systemd-standalone-$$pkg/usr/share/man/man8/; \
  	done
  	# we don't want /tmp to be a tmpfs by default
@@ -226,7 +224,7 @@ override_dh_install:
  	# files shipped by cryptsetup
  ifeq (, $(filter stage1, $(DEB_BUILD_PROFILES)))
--	rm debian/systemd/usr/share/man/man5/crypttab.5
++	rm -f debian/tmp/usr/share/man/man5/crypttab.5
  endif
  	# files shipped by systemd
@@ -235,14 +233,6 @@ endif
  	rm debian/udev/lib/udev/rules.d/71-seat.rules
  	rm debian/udev/lib/udev/rules.d/99-systemd.rules
--	# remove duplicate files shipped by systemd-*/udev
--	echo "Removing duplicate files in systemd package:"
--	set -e; for pkg in $(shell dh_listpackages -Nudev-udeb -Nlibudev1-udeb -Nsystemd -Nsystemd-standalone-sysusers -Nsystemd-standalone-tmpfiles); do \
--		echo "... from $$pkg..."; \
--		(cd debian/$$pkg; find -type f -o -type l) | (cd debian/systemd; xargs rm -f --verbose); \
--		(cd debian/$$pkg; find -mindepth 1 -type d | sort -r) | (cd debian/systemd; xargs rmdir --ignore-fail-on-non-empty --verbose || true); \
--	done
--
  	# Ubuntu specific files
  ifeq ($(DEB_VENDOR),Ubuntu)
  	install -D --mode=644 debian/extra/udev.py debian/udev/usr/share/apport/package-hooks/udev.py
@@ -254,8 +244,30 @@ endif
  	# Remove unneeded file that produces errors in debugedit (LP: #1950445)
  ifeq ($(DEB_HOST_ARCH),i386)
  	rm -f debian/systemd/usr/lib/systemd/boot/efi/linuxia32.elf.stub
++	rm -f debian/systemd-boot-efi/usr/lib/systemd/boot/efi/linuxia32.elf.stub
  endif
++execute_after_dh_installman:
++	# remove duplicate files shipped by systemd-*/udev
++	# run after dh_installman, which runs after dh_install, to include manpages
++	echo "Removing duplicate files in systemd package:"
++	set -e; for pkg in $(shell dh_listpackages -Nudev-udeb -Nlibudev1-udeb -Nsystemd -Nsystemd-standalone-sysusers -Nsystemd-standalone-tmpfiles); do \
++		echo "... from $$pkg..."; \
++		(cd debian/$$pkg; find -type f -o -type l) | (cd debian/systemd; xargs rm -f --verbose); \
++		(cd debian/$$pkg; find -mindepth 1 -type d | sort -r) | (cd debian/systemd; xargs rmdir --ignore-fail-on-non-empty --verbose || true); \
++	done
++
++	# dh_installman is affected by false positives and mangles manpages named as lib*.so.*
++	# fixed in debhelper 13.7.2 by https://salsa.debian.org/debian/debhelper/-/merge_requests/69
++	for pkg in libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd; do \
++		rm -rf debian/$$pkg/usr/share/man/so; \
++	done
++	# work around some more dh_installman issues
++	# see https://salsa.debian.org/debian/debhelper/-/merge_requests/69#note_316102
++	for pkg in libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd; do \
++		rm -rf debian/$$pkg/usr/share/man/man2/; \
++	done
++
  override_dh_missing:
  	dh_missing $(DH_MISSING)
@@ -267,31 +279,35 @@ override_dh_installsystemd:
  	dh_installsystemd -psystemd-timesyncd
  	dh_installsystemd -psystemd-oomd systemd-oomd.service
  	dh_installsystemd -psystemd-oomd --no-stop-on-upgrade systemd-oomd.socket
++	dh_installsystemd -psystemd-userdbd --no-stop-on-upgrade systemd-userdbd.socket
++	dh_installsystemd -psystemd-homed --no-also systemd-homed.service systemd-homed-activate.service
++	dh_installsystemd -psystemd-resolved
  override_dh_installsystemduser:
--PROJECT_VERSION ?= $(shell awk '/(PROJECT|PACKAGE)_VERSION/ {print $$3}' build-deb/config.h | tr -d \")
++PROJECT_VERSION ?= $(shell awk '/(PROJECT|PACKAGE)_VERSION/ {print $$3}' obj-$(DEB_HOST_GNU_TYPE)/config.h | tr -d \")
  # The SysV compat tools (which are symlinks to systemctl) are
  # quasi-essential, so add their dependencies to Pre-Depends
  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753589
  override_dh_shlibdeps:
--	dh_shlibdeps -psystemd -llib/systemd/ -- \
++	dh_shlibdeps -psystemd -Llibsystemd-shared -- \
  		-dPre-Depends -edebian/systemd/bin/systemctl \
  		-dDepends
--	dh_shlibdeps --remaining-packages -Lsystemd
++	dh_shlibdeps -plibsystemd-shared -lusr/lib/$(DEB_HOST_MULTIARCH)/systemd
++	dh_shlibdeps --remaining-packages -Llibsystemd-shared
  override_dh_makeshlibs:
  	sed 's/SHARED_LIB_VERSION/$(PROJECT_VERSION)/' debian/shlibs.local.in > debian/shlibs.local
  	dh_makeshlibs -plibudev1 --add-udeb=libudev1-udeb -- -c$(GENSYMBOLS_LEVEL)
--	dh_makeshlibs -psystemd -Xlibsystemd-shared -Xlibsystemd-core -- -c$(GENSYMBOLS_LEVEL)
++	dh_makeshlibs -plibsystemd-shared -Xlibsystemd-shared -Xlibsystemd-core -- -c$(GENSYMBOLS_LEVEL)
  	dh_makeshlibs --remaining-packages -- -c$(GENSYMBOLS_LEVEL)
  override_dh_auto_test:
  ifeq (, $(filter nocheck, $(DEB_BUILD_OPTIONS)))
--	echo "01234567890123456789012345678901" > build-deb/machine-id
++	echo "01234567890123456789012345678901" > obj-$(DEB_HOST_GNU_TYPE)/machine-id
  	# some tests hang under fakeroot, so disable fakeroot
--	env -u LD_PRELOAD SYSTEMD_MACHINE_ID_PATH=$(CURDIR)/build-deb/machine-id meson test -C build-deb --print-errorlogs $(TEST_TIMEOUT_MULTIPLIER)
++	env -u LD_PRELOAD SYSTEMD_MACHINE_ID_PATH=$(CURDIR)/obj-$(DEB_HOST_GNU_TYPE)/machine-id meson test -C obj-$(DEB_HOST_GNU_TYPE) --print-errorlogs $(TEST_TIMEOUT_MULTIPLIER)
  endif
  %:
 diff --git a/debian/shlibs.local.in b/debian/shlibs.local.in
 index 3a5cc0d..085835d 100644
 --- a/debian/shlibs.local.in
 +++ b/debian/shlibs.local.in
@@ -1,4 +1,4 @@
  udeb: libudev 1 libudev1-udeb
  libsystemd 0 libsystemd0 (= ${binary:Version})
--libsystemd-shared SHARED_LIB_VERSION systemd (= ${binary:Version})
--libsystemd-core SHARED_LIB_VERSION systemd (= ${binary:Version})
++libsystemd-shared SHARED_LIB_VERSION libsystemd-shared (= ${binary:Version})
++libsystemd-core SHARED_LIB_VERSION libsystemd-shared (= ${binary:Version})
 diff --git a/debian/systemd-boot-efi.install b/debian/systemd-boot-efi.install
 new file mode 100644
 index 0000000..1cb75d0
 --- /dev/null
 +++ b/debian/systemd-boot-efi.install
@@ -0,0 +1 @@
++usr/lib/systemd/boot/
 diff --git a/debian/systemd-boot-efi.lintian-overrides b/debian/systemd-boot-efi.lintian-overrides
 new file mode 100644
 index 0000000..79067b8
 --- /dev/null
 +++ b/debian/systemd-boot-efi.lintian-overrides
@@ -0,0 +1,6 @@
++# Not a shared library
++systemd-boot-efi: shared-library-lacks-prerequisites
++# PE-COFF EFI binaries, false positives
++systemd-boot-efi: executable-not-elf-or-script
++# These are EFI binaries, not libraries, they all ship in /usr/lib/systemd/boot
++systemd-boot-efi: arch-dependent-file-not-in-arch-specific-directory
 diff --git a/debian/systemd-boot-efi.manpages b/debian/systemd-boot-efi.manpages
 new file mode 100644
 index 0000000..4af7d86
 --- /dev/null
 +++ b/debian/systemd-boot-efi.manpages
@@ -0,0 +1 @@
++usr/share/man/man7/*.efi.stub.7
 diff --git a/debian/systemd-boot.install b/debian/systemd-boot.install
 new file mode 100644
 index 0000000..29cd23b
 --- /dev/null
 +++ b/debian/systemd-boot.install
@@ -0,0 +1,10 @@
++lib/systemd/systemd-bless-boot
++lib/systemd/system-generators/systemd-bless-boot-generator
++lib/systemd/system/sysinit.target.wants/systemd-boot-system-token.service
++lib/systemd/system/systemd-bless-boot.service
++lib/systemd/system/systemd-boot-system-token.service
++lib/systemd/system/systemd-boot-update.service
++usr/bin/bootctl
++usr/share/bash-completion/completions/bootctl
++../extra/initramfs etc/
++../extra/kernel etc/
 diff --git a/debian/systemd-boot.lintian-overrides b/debian/systemd-boot.lintian-overrides
 new file mode 100644
 index 0000000..9a3c32a
 --- /dev/null
 +++ b/debian/systemd-boot.lintian-overrides
@@ -0,0 +1,3 @@
++# Lintian is really bad at associating manpages
++systemd-boot: spare-manual-page
++systemd-boot: package-supports-alternative-init-but-no-init.d-script
 diff --git a/debian/systemd-boot.manpages b/debian/systemd-boot.manpages
 new file mode 100644
 index 0000000..e9c96fd
 --- /dev/null
 +++ b/debian/systemd-boot.manpages
@@ -0,0 +1,8 @@
++usr/share/man/man1/bootctl.1
++usr/share/man/man5/loader.conf.5
++usr/share/man/man7/sd-boot.7
++usr/share/man/man7/systemd-boot.7
++usr/share/man/man8/systemd-bless-boot.8
++usr/share/man/man8/systemd-bless-boot-generator.8
++usr/share/man/man8/systemd-bless-boot.service.8
++usr/share/man/man8/systemd-boot-system-token.service.8
 diff --git a/debian/systemd-container.install b/debian/systemd-container.install
 index a092998..0d0a86c 100644
 --- a/debian/systemd-container.install
 +++ b/debian/systemd-container.install
@@ -27,12 +27,6 @@ usr/share/dbus-1/system.d/org.freedesktop.portable1.conf
  usr/share/dbus-1/system-services/org.freedesktop.import1.service
  usr/share/dbus-1/system-services/org.freedesktop.machine1.service
  usr/share/dbus-1/system-services/org.freedesktop.portable1.service
--usr/share/man/man*/*nspawn*
--usr/share/man/man*/machinectl*
--usr/share/man/man*/portablectl*
--usr/share/man/man*/systemd-dissect*
--usr/share/man/man*/systemd-machined*
--usr/share/man/man*/systemd-portabled*
  usr/share/polkit-1/actions/org.freedesktop.import1.policy
  usr/share/polkit-1/actions/org.freedesktop.machine1.policy
  usr/share/polkit-1/actions/org.freedesktop.portable1.policy
 diff --git a/debian/systemd-container.manpages b/debian/systemd-container.manpages
 new file mode 100644
 index 0000000..c09a172
 --- /dev/null
 +++ b/debian/systemd-container.manpages
@@ -0,0 +1,6 @@
++usr/share/man/man*/*nspawn*
++usr/share/man/man*/machinectl*
++usr/share/man/man*/portablectl*
++usr/share/man/man*/systemd-dissect*
++usr/share/man/man*/systemd-machined*
++usr/share/man/man*/systemd-portabled*
 diff --git a/debian/systemd-coredump.install b/debian/systemd-coredump.install
 index e3c3245..730a98c 100644
 --- a/debian/systemd-coredump.install
 +++ b/debian/systemd-coredump.install
@@ -5,8 +5,5 @@ lib/systemd/system/*/systemd-coredump*
  usr/bin/coredumpctl
  usr/lib/sysctl.d/50-coredump.conf
  usr/lib/sysusers.d/systemd-coredump.conf
--usr/share/man/man1/coredumpctl*
--usr/share/man/man5/coredump.conf*
--usr/share/man/man8/systemd-coredump*
  usr/share/bash-completion/completions/coredumpctl
  usr/share/zsh/vendor-completions/_coredumpctl
 diff --git a/debian/systemd-coredump.manpages b/debian/systemd-coredump.manpages
 new file mode 100644
 index 0000000..5e7573e
 --- /dev/null
 +++ b/debian/systemd-coredump.manpages
@@ -0,0 +1,3 @@
++usr/share/man/man1/coredumpctl*
++usr/share/man/man5/coredump.conf*
++usr/share/man/man8/systemd-coredump*
 diff --git a/debian/systemd-homed.install b/debian/systemd-homed.install
 new file mode 100644
 index 0000000..b8357a3
 --- /dev/null
 +++ b/debian/systemd-homed.install
@@ -0,0 +1,11 @@
++etc/systemd/homed.conf
++lib/*/security/pam_systemd_home.so
++lib/systemd/systemd-homed
++lib/systemd/systemd-homework
++lib/systemd/system/systemd-homed.service
++lib/systemd/system/systemd-homed-activate.service
++usr/bin/homectl
++usr/share/dbus-1/*/*home*
++usr/share/polkit-1/actions/org.freedesktop.home1.policy
++usr/share/bash-completion/completions/homectl
++../extra/pam-configs/systemd-homed usr/share/pam-configs/
 diff --git a/debian/systemd-homed.lintian-overrides b/debian/systemd-homed.lintian-overrides
 new file mode 100644
 index 0000000..51274e4
 --- /dev/null
 +++ b/debian/systemd-homed.lintian-overrides
@@ -0,0 +1,5 @@
++# Lintian is really bad at associating manpages
++systemd-homed: spare-manual-page
++# False positive: Lintian doesn't recognize Also=
++systemd-homed: systemd-service-file-refers-to-unusual-wantedby-target
++systemd-homed: package-supports-alternative-init-but-no-init.d-script
 diff --git a/debian/systemd-homed.manpages b/debian/systemd-homed.manpages
 new file mode 100644
 index 0000000..4696f75
 --- /dev/null
 +++ b/debian/systemd-homed.manpages
@@ -0,0 +1 @@
++usr/share/man/man*/*home*
 diff --git a/debian/systemd-homed.postinst b/debian/systemd-homed.postinst
 new file mode 100644
 index 0000000..7e37590
 --- /dev/null
 +++ b/debian/systemd-homed.postinst
@@ -0,0 +1,7 @@
++#!/bin/sh
++
++set -e
++
++pam-auth-update --package
++
++#DEBHELPER#
 diff --git a/debian/systemd-homed.prerm b/debian/systemd-homed.prerm
 new file mode 100644
 index 0000000..0dd38b0
 --- /dev/null
 +++ b/debian/systemd-homed.prerm
@@ -0,0 +1,20 @@
++#!/bin/sh
++
++set -e
++
++# pam-auth-update --remove removes the named profile from the active config.
++# It arguably should be called during deconfigure as well, but deconfigure
++# can happen in some cases during a dist-upgrade and we don't want to
++# deconfigure all PAM modules in the middle of a dist-upgrade by accident.
++#
++# More importantly, with the current implementation, --remove also removes
++# all local preferences for the named config (such as whether it's enabled
++# or disabled), which we don't want to do on deconfigure.
++#
++# This may need to change later as pam-auth-update evolves.
++
++if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then
++    pam-auth-update --package --remove systemd-homed
++fi
++
++#DEBHELPER#
 diff --git a/debian/systemd-journal-remote.install b/debian/systemd-journal-remote.install
 index 188628b..f187d8f 100644
 --- a/debian/systemd-journal-remote.install
 +++ b/debian/systemd-journal-remote.install
@@ -2,10 +2,6 @@
  etc/systemd/journal-upload.conf
  lib/systemd/systemd-journal-upload
  lib/systemd/system/systemd-journal-upload.service
--usr/share/man/man5/journal-upload.conf.d.5
--usr/share/man/man5/journal-upload.conf.5
--usr/share/man/man8/systemd-journal-upload.8
--usr/share/man/man8/systemd-journal-upload.service.8
  # systemd-journal-remote
  etc/systemd/journal-remote.conf
@@ -13,17 +9,9 @@ lib/systemd/systemd-journal-remote
  lib/systemd/system/systemd-journal-remote.service
  lib/systemd/system/systemd-journal-remote.socket
  usr/lib/sysusers.d/systemd-remote.conf
--usr/share/man/man5/journal-remote.conf.d.5
--usr/share/man/man5/journal-remote.conf.5
--usr/share/man/man8/systemd-journal-remote.service.8
--usr/share/man/man8/systemd-journal-remote.socket.8
--usr/share/man/man8/systemd-journal-remote.8
  # systemd-journal-gatewayd
  lib/systemd/systemd-journal-gatewayd
  lib/systemd/system/systemd-journal-gatewayd.service
  lib/systemd/system/systemd-journal-gatewayd.socket
  usr/share/systemd/gatewayd/
--usr/share/man/man8/systemd-journal-gatewayd.service.8
--usr/share/man/man8/systemd-journal-gatewayd.socket.8
--usr/share/man/man8/systemd-journal-gatewayd.8
 diff --git a/debian/systemd-journal-remote.manpages b/debian/systemd-journal-remote.manpages
 new file mode 100644
 index 0000000..55ede14
 --- /dev/null
 +++ b/debian/systemd-journal-remote.manpages
@@ -0,0 +1,12 @@
++usr/share/man/man5/journal-upload.conf.d.5
++usr/share/man/man5/journal-upload.conf.5
++usr/share/man/man8/systemd-journal-upload.8
++usr/share/man/man8/systemd-journal-upload.service.8
++usr/share/man/man5/journal-remote.conf.d.5
++usr/share/man/man5/journal-remote.conf.5
++usr/share/man/man8/systemd-journal-remote.service.8
++usr/share/man/man8/systemd-journal-remote.socket.8
++usr/share/man/man8/systemd-journal-remote.8
++usr/share/man/man8/systemd-journal-gatewayd.service.8
++usr/share/man/man8/systemd-journal-gatewayd.socket.8
++usr/share/man/man8/systemd-journal-gatewayd.8
 diff --git a/debian/systemd-oomd.install b/debian/systemd-oomd.install
 index f9f6686..7bbe7cd 100644
 --- a/debian/systemd-oomd.install
 +++ b/debian/systemd-oomd.install
@@ -8,6 +8,5 @@ lib/systemd/system/systemd-oomd.socket
  usr/bin/oomctl
  usr/lib/sysusers.d/systemd-oom.conf
  usr/share/dbus-1/*/*oom*
--usr/share/man/man*/*oom*
  usr/share/bash-completion/completions/oomctl
  usr/share/zsh/vendor-completions/_oomctl
 diff --git a/debian/systemd-oomd.manpages b/debian/systemd-oomd.manpages
 new file mode 100644
 index 0000000..b1f4970
 --- /dev/null
 +++ b/debian/systemd-oomd.manpages
@@ -0,0 +1 @@
++usr/share/man/man*/*oom*
 diff --git a/debian/systemd-resolved.install b/debian/systemd-resolved.install
 new file mode 100644
 index 0000000..6d7241d
 --- /dev/null
 +++ b/debian/systemd-resolved.install
@@ -0,0 +1,13 @@
++/sbin/resolvconf
++/etc/systemd/resolved.conf
++/lib/systemd/systemd-resolved
++/lib/systemd/system/systemd-resolved.service
++/usr/bin/resolvectl
++/usr/lib/sysusers.d/systemd-resolve.conf
++/usr/lib/tmpfiles.d/systemd-resolve.conf
++/usr/share/bash-completion/completions/resolvectl
++/usr/share/bash-completion/completions/systemd-resolve
++/usr/share/dbus-1/system.d/org.freedesktop.resolve1.conf
++/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service
++/usr/share/polkit-1/actions/org.freedesktop.resolve1.policy
++/usr/share/zsh/vendor-completions/_resolvectl
 diff --git a/debian/systemd-resolved.links b/debian/systemd-resolved.links
 new file mode 100644
 index 0000000..63b933a
 --- /dev/null
 +++ b/debian/systemd-resolved.links
@@ -0,0 +1 @@
++/run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 diff --git a/debian/systemd-resolved.lintian-overrides b/debian/systemd-resolved.lintian-overrides
 new file mode 100644
 index 0000000..459af93
 --- /dev/null
 +++ b/debian/systemd-resolved.lintian-overrides
@@ -0,0 +1,3 @@
++# Lintian is really bad at associating manpages
++systemd-resolved: spare-manual-page
++systemd-resolved: package-supports-alternative-init-but-no-init.d-script
 diff --git a/debian/systemd-resolved.manpages b/debian/systemd-resolved.manpages
 new file mode 100644
 index 0000000..2933665
 --- /dev/null
 +++ b/debian/systemd-resolved.manpages
@@ -0,0 +1,4 @@
++usr/share/man/man1/resolv*
++usr/share/man/man5/org.freedesktop.resolve1*
++usr/share/man/man5/resolved.conf.*
++usr/share/man/man8/systemd-resolved.*
 diff --git a/debian/systemd-resolved.postinst b/debian/systemd-resolved.postinst
 new file mode 100644
 index 0000000..17ab957
 --- /dev/null
 +++ b/debian/systemd-resolved.postinst
@@ -0,0 +1,28 @@
++#!/bin/sh
++
++set -e
++
++_adopt_conffile() {
++    conffile=$1
++    pkg=$2
++
++    [ -f ${conffile}.dpkg-bak ] || return 0
++
++    md5sum="$(md5sum ${conffile} | sed -e 's/ .*//')"
++    old_md5sum="$(dpkg-query -W -f='${Conffiles}' $pkg | \
++                        sed -n -e "\' ${conffile} ' { s/ obsolete$//; s/.* //; p }")"
++    # On new installs, if the policy file was preserved on systemd upgrade
++    # by dpkg-maintscript helper, copy it back if the new file has not been modified yet
++    if [ "$md5sum" = "$old_md5sum" ]; then
++        mv ${conffile}.dpkg-bak ${conffile}
++    fi
++}
++
++
++if [ "$1" = configure ] && [ -z "$2" ]; then
++    adduser --quiet --system --group --no-create-home --home /run/systemd \
++        --gecos "systemd Resolver" systemd-resolve
++    _adopt_conffile /etc/systemd/resolved.conf systemd-resolved
++fi
++
++#DEBHELPER#
 diff --git a/debian/systemd-standalone-sysusers.manpages b/debian/systemd-standalone-sysusers.manpages
 new file mode 100644
 index 0000000..daaab6a
 --- /dev/null
 +++ b/debian/systemd-standalone-sysusers.manpages
@@ -0,0 +1 @@
++usr/share/man/man8/systemd-sysusers.8
 diff --git a/debian/systemd-standalone-tmpfiles.manpages b/debian/systemd-standalone-tmpfiles.manpages
 new file mode 100644
 index 0000000..d90ac8f
 --- /dev/null
 +++ b/debian/systemd-standalone-tmpfiles.manpages
@@ -0,0 +1 @@
++usr/share/man/man8/systemd-tmpfiles.8
 diff --git a/debian/systemd-sysv.install b/debian/systemd-sysv.install
 index 9c104a9..34e4528 100644
 --- a/debian/systemd-sysv.install
 +++ b/debian/systemd-sysv.install
@@ -1,10 +1,3 @@
--usr/share/man/man1/init.1
--usr/share/man/man8/telinit.8
--usr/share/man/man8/runlevel.8
--usr/share/man/man8/shutdown.8
--usr/share/man/man8/poweroff.8
--usr/share/man/man8/reboot.8
--usr/share/man/man8/halt.8
  sbin/init
  sbin/telinit
  sbin/runlevel
 diff --git a/debian/systemd-sysv.manpages b/debian/systemd-sysv.manpages
 new file mode 100644
 index 0000000..0a949c9
 --- /dev/null
 +++ b/debian/systemd-sysv.manpages
@@ -0,0 +1,7 @@
++usr/share/man/man1/init.1
++usr/share/man/man8/telinit.8
++usr/share/man/man8/runlevel.8
++usr/share/man/man8/shutdown.8
++usr/share/man/man8/poweroff.8
++usr/share/man/man8/reboot.8
++usr/share/man/man8/halt.8
 diff --git a/debian/systemd-timesyncd.install b/debian/systemd-timesyncd.install
 index 7090dba..a5be5b5 100644
 --- a/debian/systemd-timesyncd.install
 +++ b/debian/systemd-timesyncd.install
@@ -4,5 +4,4 @@ lib/systemd/systemd-timesyncd
  lib/systemd/system/systemd-timesyncd.service
  usr/lib/sysusers.d/systemd-timesync.conf
  usr/share/dbus-1/*/*timesync*
--usr/share/man/man*/*timesyncd*
  ../extra/dhclient-exit-hooks.d/ etc/dhcp/
 diff --git a/debian/systemd-timesyncd.manpages b/debian/systemd-timesyncd.manpages
 new file mode 100644
 index 0000000..b77577f
 --- /dev/null
 +++ b/debian/systemd-timesyncd.manpages
@@ -0,0 +1 @@
++usr/share/man/man*/*timesyncd*
 diff --git a/debian/systemd-userdbd.install b/debian/systemd-userdbd.install
 new file mode 100644
 index 0000000..c40ee43
 --- /dev/null
 +++ b/debian/systemd-userdbd.install
@@ -0,0 +1,5 @@
++lib/systemd/systemd-userdbd
++lib/systemd/systemd-userwork
++lib/systemd/system/systemd-userdbd.service
++lib/systemd/system/systemd-userdbd.socket
++usr/bin/userdbctl
 diff --git a/debian/systemd-userdbd.lintian-overrides b/debian/systemd-userdbd.lintian-overrides
 new file mode 100644
 index 0000000..f834679
 --- /dev/null
 +++ b/debian/systemd-userdbd.lintian-overrides
@@ -0,0 +1,3 @@
++# Lintian is really bad at associating manpages
++systemd-userdbd: spare-manual-page
++systemd-userdbd: package-supports-alternative-init-but-no-init.d-script
 diff --git a/debian/systemd-userdbd.manpages b/debian/systemd-userdbd.manpages
 new file mode 100644
 index 0000000..95d4d26
 --- /dev/null
 +++ b/debian/systemd-userdbd.manpages
@@ -0,0 +1 @@
++usr/share/man/man*/*userdb*
 diff --git a/debian/systemd.NEWS b/debian/systemd.NEWS
 index 4003182..100a1df 100644
 --- a/debian/systemd.NEWS
 +++ b/debian/systemd.NEWS
@@ -1,3 +1,24 @@
++systemd (251.3-2) unstable; urgency=medium
++
++  systemd-resolved has been split into a separate package.
++  This new systemd-resolved package will not be installed automatically on
++  upgrades. If you are using systemd-resolved, please install this new
++  package manually.
++
++ -- Luca Boccassi <bluca@debian.org>  Thu, 05 Aug 2022 20:26:12 +0100
++
++systemd (251.2-3) unstable; urgency=medium
++
++  systemd-boot has been split into a separate package.
++  This new systemd-boot package will not be installed automatically on
++  upgrades. If you are using systemd-boot, please install this new
++  package manually.
++
++  The default boot loader in Debian is grub2. If you have not set up
++  systemd-boot manually, no action is required on your side.
++
++ -- Michael Biebl <biebl@debian.org>  Wed, 08 Jun 2022 21:49:47 +0200
++
  systemd (251.1-1) unstable; urgency=medium
    systemd-journal-gatewayd and systemd-journal-remote are now built
 diff --git a/debian/systemd.install b/debian/systemd.install
 index c2e5c69..f5547d0 100644
 --- a/debian/systemd.install
 +++ b/debian/systemd.install
@@ -14,14 +14,9 @@ usr/lib/sysctl.d/
  usr/lib/sysusers.d/basic.conf
  usr/lib/sysusers.d/systemd-journal.conf
  usr/lib/sysusers.d/systemd-network.conf
--usr/lib/sysusers.d/systemd-resolve.conf
  usr/lib/systemd/
  usr/lib/tmpfiles.d/
  usr/lib/kernel
--usr/share/man/man1/
--usr/share/man/man5/
--usr/share/man/man7/
--usr/share/man/man8/
  usr/share/bash-completion/
  usr/share/zsh/vendor-completions/
  usr/share/dbus-1/
 diff --git a/debian/systemd.lintian-overrides b/debian/systemd.lintian-overrides
 index 1c2a8f2..5159e2c 100644
 --- a/debian/systemd.lintian-overrides
 +++ b/debian/systemd.lintian-overrides
@@ -15,12 +15,5 @@ systemd: package-contains-empty-directory lib/systemd/system/runlevel4.target.wa
  systemd: package-contains-empty-directory lib/systemd/system/runlevel5.target.wants/
  systemd: package-contains-empty-directory usr/lib/binfmt.d/
  systemd: package-contains-empty-directory usr/lib/modules-load.d/
--# Not a shared library
--systemd: shared-library-lacks-prerequisites usr/lib/systemd/boot/efi/linuxx64.elf.stub
--# PE-COFF EFI binaries, false positives
--systemd: executable-not-elf-or-script usr/lib/systemd/boot/efi/linuxx64.efi.stub
--systemd: executable-not-elf-or-script usr/lib/systemd/boot/efi/systemd-bootx64.efi
--# Intentional: value of config got in a release by mistake, needs to be kept
--systemd: spelling-error-in-binary lib/systemd/libsystemd-shared-251.so anually annually
  # netlink keyword
  systemd: spelling-error-in-binary lib/systemd/systemd-networkd iif if
 diff --git a/debian/systemd.maintscript b/debian/systemd.maintscript
 index a4cd38d..e7fd0a1 100644
 --- a/debian/systemd.maintscript
 +++ b/debian/systemd.maintscript
@@ -2,3 +2,4 @@ rm_conffile /etc/dhcp/dhclient-exit-hooks.d/timesyncd 245.4-2~
  rm_conffile /etc/systemd/timesyncd.conf 245.4-2~
  rm_conffile /etc/dhcp/dhclient-enter-hooks.d/resolved 246-2ubuntu1~
  rm_conffile /etc/pam.d/systemd-user 246.6-3~
++rm_conffile /etc/systemd/resolved.conf 251.3-2~
 diff --git a/debian/systemd.manpages b/debian/systemd.manpages
 new file mode 100644
 index 0000000..57f666f
 --- /dev/null
 +++ b/debian/systemd.manpages
@@ -0,0 +1,4 @@
++usr/share/man/man1/*
++usr/share/man/man5/*
++usr/share/man/man7/*
++usr/share/man/man8/*
 diff --git a/debian/systemd.postinst b/debian/systemd.postinst
 index 32fa7db..63e78ca 100644
 --- a/debian/systemd.postinst
 +++ b/debian/systemd.postinst
@@ -19,7 +19,7 @@ _update_binfmt() {
      # configuration ship a corresponding binfmt.d snippet yet.
      # Once this is the case, this additional safety check can be removed.
      if ! _systemctl -q is-active binfmt-support.service; then
--        _systemctl restart systemd-binfmt.service || true
++        _systemctl try-restart systemd-binfmt.service || true
      fi
+ }
@@ -84,8 +84,6 @@ addgroup --quiet --system systemd-journal
  adduser --quiet --system --group --no-create-home --home /run/systemd \
      --gecos "systemd Network Management" systemd-network
--adduser --quiet --system --group --no-create-home --home /run/systemd \
--    --gecos "systemd Resolver" systemd-resolve
  # Enable persistent journal, in auto-mode, by default on new installs installs and upgrades
  if dpkg --compare-versions "$2" lt "235-3ubuntu3~"; then
@@ -116,7 +114,6 @@ if [ -n "$2" ] && [ "$(systemctl is-system-running)" != "stopping" ]; then
          _systemctl stop systemd-networkd.socket || true
      fi
      _systemctl try-restart systemd-networkd.service || true
--    _systemctl try-restart systemd-resolved.service || true
      _systemctl try-restart systemd-journald.service || true
  fi
 diff --git a/debian/tests/control b/debian/tests/control
 index 56626f9..361abe0 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -37,6 +37,7 @@ Tests: networkd-test.py
  Tests-Directory: test
  Depends: systemd,
    udev,
++  systemd-resolved,
    libpam-systemd,
    libnss-systemd,
    acl,
@@ -137,6 +138,8 @@ Depends: systemd-tests,
    systemd-coredump,
    systemd-timesyncd,
    systemd-oomd,
++  systemd-homed,
++  systemd-resolved,
    libnss-myhostname,
    libnss-mymachines,
    libnss-resolve,
@@ -188,6 +191,7 @@ Depends: systemd-tests,
    swtpm,
    tpm2-tools,
    libgcc-s1,
++  openssl,
  Restrictions: needs-root, allow-stderr, isolation-machine
  Tests: boot-smoke
 diff --git a/debian/udev.install b/debian/udev.install
 index cb52122..adeb7ad 100644
 --- a/debian/udev.install
 +++ b/debian/udev.install
@@ -7,13 +7,6 @@ lib/systemd/systemd-udevd
  bin/udevadm
  bin/systemd-hwdb
  usr/lib/tmpfiles.d/static-nodes-permissions.conf
--usr/share/man/man5/udev.conf.5
--usr/share/man/man5/systemd.link.5
--usr/share/man/man7/hwdb.7
--usr/share/man/man7/udev.7
--usr/share/man/man8/systemd-hwdb*
--usr/share/man/man8/systemd-udevd*
--usr/share/man/man8/udevadm.8
  usr/share/bash-completion/completions/udevadm
  usr/share/zsh/vendor-completions/_udevadm
  usr/share/pkgconfig/udev.pc
 diff --git a/debian/udev.manpages b/debian/udev.manpages
 new file mode 100644
 index 0000000..f55622c
 --- /dev/null
 +++ b/debian/udev.manpages
@@ -0,0 +1,7 @@
++usr/share/man/man5/udev.conf.5
++usr/share/man/man5/systemd.link.5
++usr/share/man/man7/hwdb.7
++usr/share/man/man7/udev.7
++usr/share/man/man8/systemd-hwdb*
++usr/share/man/man8/systemd-udevd*
++usr/share/man/man8/udevadm.8
 diff --git a/hwdb.d/70-analyzers.hwdb b/hwdb.d/70-analyzers.hwdb
 index 899ece3..0a19115 100644
 --- a/hwdb.d/70-analyzers.hwdb
 +++ b/hwdb.d/70-analyzers.hwdb
@@ -29,7 +29,6 @@ usb:v1679p3001*
  # Power Delivery Analyzers
  usb:v1679p6003*
--usb:v0483pDF11*
   ID_SIGNAL_ANALYZER=1
  ###########################################################
 diff --git a/man/journalctl.xml b/man/journalctl.xml
 index 424acc9..e226663 100644
 --- a/man/journalctl.xml
 +++ b/man/journalctl.xml
@@ -650,7 +650,7 @@
          <listitem><para>If <replaceable>FILE</replaceable> exists and contains a
          cursor, start showing entries <emphasis>after</emphasis> this location.
--        Otherwise the show entries according the other given options. At the end,
++        Otherwise show entries according to the other given options. At the end,
          write the cursor of the last entry to <replaceable>FILE</replaceable>. Use
          this option to continually read the journal by sequentially calling
          <command>journalctl</command>.</para></listitem>
 diff --git a/man/os-release.xml b/man/os-release.xml
 index 875ac94..dd135d6 100644
 --- a/man/os-release.xml
 +++ b/man/os-release.xml
@@ -429,7 +429,7 @@
            <listitem><para>Takes a space-separated list of one or more valid prefix match strings for the
            <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> logic. This field
            serves two purposes: it is informational, identifying portable service images as such (and thus
--          allowing them to be distinguished from other OS images, such as bootable system images). In is also
++          allowing them to be distinguished from other OS images, such as bootable system images). It is also
            used when a portable service image is attached: the specified or implied portable service prefix is
            checked against the list specified here, to enforce restrictions how images may be attached to a
            system.</para></listitem>
 diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml
 index 906d1c1..9fa0e0a 100644
 --- a/man/pam_systemd_home.xml
 +++ b/man/pam_systemd_home.xml
@@ -17,8 +17,8 @@
    <refnamediv>
      <refname>pam_systemd_home</refname>
--    <refpurpose>Automatically mount home directories managed by <filename>systemd-homed.service</filename> on
--    login, and unmount them on logout</refpurpose>
++    <refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename>
++    </refpurpose>
    </refnamediv>
    <refsynopsisdiv>
@@ -31,7 +31,11 @@
      <para><command>pam_systemd_home</command> ensures that home directories managed by
      <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
      are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
--    session of the user ends.</para>
++    session of the user ends. For such users, it also provides authentication (when per-user disk encryption
++    is used, the disk encryption key is derived from the authentication credential supplied at login time),
++    account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in
++    the home store contains account details), and implements the updating of the encryption password (which
++    is also used for user authentication).</para>
    </refsect1>
    <refsect1>
@@ -93,8 +97,13 @@
    <refsect1>
      <title>Module Types Provided</title>
--    <para>The module provides all four management operations: <option>auth</option>, <option>account</option>,
--    <option>session</option>, <option>password</option>.</para>
++    <para>The module implements all four PAM operations: <option>auth</option> (reason: to allow
++    authentication using the encrypted data), <option>account</option> (reason: users with
++    <filename>systemd-homed.service</filename> user accounts are described in a <ulink
++    url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
++    in the traditional Linux user database), <option>session</option> (user sessions must be tracked in order
++    to implement automatic release when the last session of the user is gone), <option>password</option> (to
++    change the encryption password — also used for user authentication — through PAM).</para>
    </refsect1>
    <refsect1>
 diff --git a/man/sd_notify.xml b/man/sd_notify.xml
 index 4a0a7b3..31388b9 100644
 --- a/man/sd_notify.xml
 +++ b/man/sd_notify.xml
@@ -272,13 +272,14 @@
        <varlistentry>
          <term>BARRIER=1</term>
--        <listitem><para>Tells the service manager that the client is explicitly requesting synchronization by means of
--        closing the file descriptor sent with this command. The service manager guarantees that the processing of a <varname>
--        BARRIER=1</varname> command will only happen after all previous notification messages sent before this command
--        have been processed. Hence, this command accompanied with a single file descriptor can be used to synchronize
--        against reception of all previous status messages. Note that this command cannot be mixed with other notifications,
--        and has to be sent in a separate message to the service manager, otherwise all assignments will be ignored. Note that
--        sending 0 or more than 1 file descriptor with this command is a violation of the protocol.</para></listitem>
++        <listitem><para>Tells the service manager that the client is explicitly requesting synchronization by
++        means of closing the file descriptor sent with this command. The service manager guarantees that the
++        processing of a <varname>BARRIER=1</varname> command will only happen after all previous notification
++        messages sent before this command have been processed. Hence, this command accompanied with a single
++        file descriptor can be used to synchronize against reception of all previous status messages. Note
++        that this command cannot be mixed with other notifications, and has to be sent in a separate message
++        to the service manager, otherwise all assignments will be ignored. Note that sending 0 or more than 1
++        file descriptor with this command is a violation of the protocol.</para></listitem>
        </varlistentry>
      </variablelist>
@@ -341,7 +342,7 @@
      <para><function>sd_notify_barrier()</function> allows the caller to
      synchronize against reception of previously sent notification messages
--    and uses the <literal>BARRIER=1</literal> command. It takes a relative
++    and uses the <varname>BARRIER=1</varname> command. It takes a relative
      <varname>timeout</varname> value in microseconds which is passed to
      <citerefentry><refentrytitle>ppoll</refentrytitle><manvolnum>2</manvolnum>
      </citerefentry>. A value of UINT64_MAX is interpreted as infinite timeout.
 diff --git a/man/system-or-user-ns.xml b/man/system-or-user-ns.xml
 index 01d1dd0..7a302d5 100644
 --- a/man/system-or-user-ns.xml
 +++ b/man/system-or-user-ns.xml
@@ -8,9 +8,9 @@
  <refsect1>
  <para id="singular">This option is only available for system services, or for services running in per-user
-- instances of the service manager when unprivileged user namespaces are available.</para>
++ instances of the service manager when <varname>PrivateUsers=</varname> is enabled.</para>
  <para id="plural">These options are only available for system services, or for services running in per-user
-- instances of the service manager when unprivileged user namespaces are available.</para>
++ instances of the service manager when <varname>PrivateUsers=</varname> is enabled.</para>
  </refsect1>
 diff --git a/man/systemctl.xml b/man/systemctl.xml
 index 963eb9e..64af099 100644
 --- a/man/systemctl.xml
 +++ b/man/systemctl.xml
@@ -196,32 +196,31 @@ Sun 2017-02-26 20:57:49 EST  2h 3min left  Sun 2017-02-26 11:56:36 EST  6h ago
              <option>-t</option>). If a PID is passed, show information
              about the unit the process belongs to.</para>
--            <para>This function is intended to generate human-readable
--            output. If you are looking for computer-parsable output,
--            use <command>show</command> instead. By default, this
--            function only shows 10 lines of output and ellipsizes
--            lines to fit in the terminal window. This can be changed
--            with <option>--lines</option> and <option>--full</option>,
--            see above. In addition, <command>journalctl
--            --unit=<replaceable>NAME</replaceable></command> or
--            <command>journalctl
--            --user-unit=<replaceable>NAME</replaceable></command> use
--            a similar filter for messages and might be more
--            convenient.
--            </para>
--
--            <para>systemd implicitly loads units as necessary, so just running the <command>status</command> will
--            attempt to load a file. The command is thus not useful for determining if something was already loaded or
--            not.  The units may possibly also be quickly unloaded after the operation is completed if there's no reason
--            to keep it in memory thereafter.
--            </para>
++            <para>This function is intended to generate human-readable output. If you are looking for
++            computer-parsable output, use <command>show</command> instead. By default, this function only
++            shows 10 lines of output and ellipsizes lines to fit in the terminal window. This can be changed
++            with <option>--lines</option> and <option>--full</option>, see above. In addition,
++            <command>journalctl --unit=<replaceable>NAME</replaceable></command> or <command>journalctl
++            --user-unit=<replaceable>NAME</replaceable></command> use a similar filter for messages and might
++            be more convenient.</para>
++
++            <para>Note that this operation only displays <emphasis>runtime</emphasis> status, i.e. information about
++            the current invocation of the unit (if it is running) or the most recent invocation (if it is not
++            running anymore, and has not been released from memory). Information about earlier invocations,
++            invocations from previous system boots, or prior invocations that have already been released from
++            memory may be retrieved via <command>journalctl --unit=</command>.</para>
++
++            <para>systemd implicitly loads units as necessary, so just running the <command>status</command>
++            will attempt to load a file. The command is thus not useful for determining if something was
++            already loaded or not.  The units may possibly also be quickly unloaded after the operation is
++            completed if there's no reason to keep it in memory thereafter.</para>
              <example>
                <title>Example output from systemctl status </title>
                <programlisting>$ systemctl status bluetooth
  ● bluetooth.service - Bluetooth service
--   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
++   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; preset: enabled)
     Active: active (running) since Wed 2017-01-04 13:54:04 EST; 1 weeks 0 days ago
       Docs: man:bluetoothd(8)
   Main PID: 930 (bluetoothd)
@@ -237,29 +236,31 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: Current Time Service could not be
  Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output error (5)
  </programlisting>
--            <para>The dot ("●") uses color on supported terminals to summarize the unit state at a glance. Along with
--            its color, its shape varies according to its state: <literal>inactive</literal> or
--            <literal>maintenance</literal> is a white circle ("○"), <literal>active</literal> is a green dot ("●"),
--            <literal>deactivating</literal> is a white dot, <literal>failed</literal> or <literal>error</literal> is
--            a red cross ("×"), and <literal>reloading</literal> is a green clockwise circle arrow ("↻").
--            </para>
--
--            <para>The "Loaded:" line in the output will show <literal>loaded</literal> if the unit has been loaded into
--            memory. Other possible values for "Loaded:" include: <literal>error</literal> if there was a problem
--            loading it, <literal>not-found</literal> if no unit file was found for this unit,
--            <literal>bad-setting</literal> if an essential unit file setting could not be parsed and
--            <literal>masked</literal> if the unit file has been masked. Along with showing the path to the unit file,
--            this line will also show the enablement state.  Enabled commands start at boot.  See the full table of
--            possible enablement states — including the definition of <literal>masked</literal> — in the documentation
--            for the <command>is-enabled</command> command.
++            <para>The dot ("●") uses color on supported terminals to summarize the unit state at a
++            glance. Along with its color, its shape varies according to its state:
++            <literal>inactive</literal> or <literal>maintenance</literal> is a white circle ("○"),
++            <literal>active</literal> is a green dot ("●"), <literal>deactivating</literal> is a white dot,
++            <literal>failed</literal> or <literal>error</literal> is a red cross ("×"), and
++            <literal>reloading</literal> is a green clockwise circle arrow ("↻").</para>
++
++            <para>The "Loaded:" line in the output will show <literal>loaded</literal> if the unit has been
++            loaded into memory. Other possible values for "Loaded:" include: <literal>error</literal> if
++            there was a problem loading it, <literal>not-found</literal> if no unit file was found for this
++            unit, <literal>bad-setting</literal> if an essential unit file setting could not be parsed and
++            <literal>masked</literal> if the unit file has been masked. Along with showing the path to the
++            unit file, this line will also show the enablement state.  Enabled units are included in the
++            dependency network between units, and thus are started at boot or via some other form of
++            activation.  See the full table of possible enablement states — including the definition of
++            <literal>masked</literal> — in the documentation for the <command>is-enabled</command> command.
              </para>
              <para>The "Active:" line shows active state.  The value is usually <literal>active</literal> or
--            <literal>inactive</literal>. Active could mean started, bound, plugged in, etc depending on the unit type.
--            The unit could also be in process of changing states, reporting a state of <literal>activating</literal> or
--            <literal>deactivating</literal>. A special <literal>failed</literal> state is entered when the service
--            failed in some way, such as a crash, exiting with an error code or timing out. If the failed state is
--            entered the cause will be logged for later reference.</para>
++            <literal>inactive</literal>. Active could mean started, bound, plugged in, etc depending on the
++            unit type.  The unit could also be in process of changing states, reporting a state of
++            <literal>activating</literal> or <literal>deactivating</literal>. A special
++            <literal>failed</literal> state is entered when the service failed in some way, such as a crash,
++            exiting with an error code or timing out. If the failed state is entered the cause will be logged
++            for later reference.</para>
              </example>
            </listitem>
 diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
 index d803b5c..7592961 100644
 --- a/man/systemd-creds.xml
 +++ b/man/systemd-creds.xml
@@ -172,7 +172,7 @@
          <term><command>has-tpm2</command></term>
          <listitem><para>Reports whether the system is equipped with a TPM2 device usable for protecting
--        credentials. If the a TPM2 device has been discovered, is supported, and is being used by firmware,
++        credentials. If a TPM2 device has been discovered, is supported, and is being used by firmware,
          by the OS kernel drivers and by userspace (i.e. systemd) this prints <literal>yes</literal> and exits
          with exit status zero. If no such device is discovered/supported/used, prints
          <literal>no</literal>. Otherwise prints <literal>partial</literal>. In either of these two cases
 diff --git a/man/systemd-integritysetup-generator.xml b/man/systemd-integritysetup-generator.xml
 index 23eab01..44248b2 100644
 --- a/man/systemd-integritysetup-generator.xml
 +++ b/man/systemd-integritysetup-generator.xml
@@ -41,7 +41,7 @@
      <para>
        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>systemd-integritysetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
--      <citerefentry project='die-net'><refentrytitle>integritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++      <citerefentry project='die-net'><refentrytitle>integritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
      </para>
    </refsect1>
 diff --git a/man/systemd-sysctl.service.xml b/man/systemd-sysctl.service.xml
 index 751aa2b..ea81084 100644
 --- a/man/systemd-sysctl.service.xml
 +++ b/man/systemd-sysctl.service.xml
@@ -122,7 +122,7 @@ kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t %P %I
      <para>
        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
--      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
      </para>
    </refsect1>
 diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
 index 50c5c89..daa2249 100644
 --- a/man/systemd.exec.xml
 +++ b/man/systemd.exec.xml
@@ -819,13 +819,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
          <listitem><para>Set soft and hard limits on various resources for executed processes. See
          <citerefentry><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
--        details on the resource limit concept. Resource limits may be specified in two formats: either as
--        single value to set a specific soft and hard limit to the same value, or as colon-separated pair
--        <option>soft:hard</option> to set both limits individually (e.g. <literal>LimitAS=4G:16G</literal>).
--        Use the string <option>infinity</option> to configure no limit on a specific resource. The
--        multiplicative suffixes K, M, G, T, P and E (to the base 1024) may be used for resource limits
--        measured in bytes (e.g. <literal>LimitAS=16G</literal>). For the limits referring to time values, the
--        usual time units ms, s, min, h and so on may be used (see
++        details on the process resource limit concept. Process resource limits may be specified in two formats:
++        either as single value to set a specific soft and hard limit to the same value, or as colon-separated
++        pair <option>soft:hard</option> to set both limits individually
++        (e.g. <literal>LimitAS=4G:16G</literal>).  Use the string <option>infinity</option> to configure no
++        limit on a specific resource. The multiplicative suffixes K, M, G, T, P and E (to the base 1024) may
++        be used for resource limits measured in bytes (e.g. <literal>LimitAS=16G</literal>). For the limits
++        referring to time values, the usual time units ms, s, min, h and so on may be used (see
          <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
          details). Note that if no time unit is specified for <varname>LimitCPU=</varname> the default unit of
          seconds is implied, while for <varname>LimitRTTIME=</varname> the default unit of microseconds is
@@ -875,15 +875,17 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
          <table>
            <title>Resource limit directives, their equivalent <command>ulimit</command> shell commands and the unit used</title>
--          <tgroup cols='3'>
++          <tgroup cols='4'>
              <colspec colname='directive' />
              <colspec colname='equivalent' />
              <colspec colname='unit' />
++            <colspec colname='notes' />
              <thead>
                <row>
                  <entry>Directive</entry>
                  <entry><command>ulimit</command> equivalent</entry>
                  <entry>Unit</entry>
++                <entry>Notes</entry>
                </row>
              </thead>
              <tbody>
@@ -891,81 +893,97 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
                  <entry>LimitCPU=</entry>
                  <entry>ulimit -t</entry>
                  <entry>Seconds</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitFSIZE=</entry>
                  <entry>ulimit -f</entry>
                  <entry>Bytes</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitDATA=</entry>
                  <entry>ulimit -d</entry>
                  <entry>Bytes</entry>
++                <entry>Don't use. This limits the allowed address range, not memory use! Defaults to unlimited and should not be lowered. To limit memory use, see <varname>MemoryMax=</varname> in <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</entry>
                </row>
                <row>
                  <entry>LimitSTACK=</entry>
                  <entry>ulimit -s</entry>
                  <entry>Bytes</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitCORE=</entry>
                  <entry>ulimit -c</entry>
                  <entry>Bytes</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitRSS=</entry>
                  <entry>ulimit -m</entry>
                  <entry>Bytes</entry>
++                <entry>Don't use. No effect on Linux.</entry>
                </row>
                <row>
                  <entry>LimitNOFILE=</entry>
                  <entry>ulimit -n</entry>
                  <entry>Number of File Descriptors</entry>
++                <entry>Don't use. Be careful when raising the soft limit above 1024, since <function>select()</function> cannot function with file descriptors above 1023 on Linux. Nowadays, the hard limit defaults to 524288, a very high value compared to historical defaults. Typically applications should increase their soft limit to the hard limit on their own, if they are OK with working with file descriptors above 1023, i.e. do not use <function>select()</function>. Note that file descriptors are nowadays accounted like any other form of memory, thus there should not be any need to lower the hard limit. Use <varname>MemoryMax=</varname> to control overall service memory use, including file descriptor memory.</entry>
                </row>
                <row>
                  <entry>LimitAS=</entry>
                  <entry>ulimit -v</entry>
                  <entry>Bytes</entry>
++                <entry>Don't use. This limits the allowed address range, not memory use! Defaults to unlimited and should not be lowered. To limit memory use, see <varname>MemoryMax=</varname> in <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</entry>
                </row>
                <row>
                  <entry>LimitNPROC=</entry>
                  <entry>ulimit -u</entry>
                  <entry>Number of Processes</entry>
++                <entry>This limit is enforced based on the number of processes belonging to the user. Typically it's better to track processes per service, i.e. use <varname>TasksMax=</varname>, see <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</entry>
                </row>
                <row>
                  <entry>LimitMEMLOCK=</entry>
                  <entry>ulimit -l</entry>
                  <entry>Bytes</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitLOCKS=</entry>
                  <entry>ulimit -x</entry>
                  <entry>Number of Locks</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitSIGPENDING=</entry>
                  <entry>ulimit -i</entry>
                  <entry>Number of Queued Signals</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitMSGQUEUE=</entry>
                  <entry>ulimit -q</entry>
                  <entry>Bytes</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitNICE=</entry>
                  <entry>ulimit -e</entry>
                  <entry>Nice Level</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitRTPRIO=</entry>
                  <entry>ulimit -r</entry>
                  <entry>Realtime Priority</entry>
++                <entry>-</entry>
                </row>
                <row>
                  <entry>LimitRTTIME=</entry>
--                <entry>No equivalent</entry>
++                <entry>ulimit -R</entry>
                  <entry>Microseconds</entry>
++                <entry>-</entry>
                </row>
              </tbody>
            </tgroup>
@@ -2774,7 +2792,11 @@ SystemCallErrorNumber=EPERM</programlisting>
          writing text to stderr will not work. To mitigate this use the construct <command>echo "hello"
          >&amp;2</command> instead, which is mostly equivalent and avoids this pitfall.</para>
--        <para>This setting defaults to the value set with <varname>DefaultStandardOutput=</varname> in
++        <para>If <varname>StandardInput=</varname> is set to one of <option>tty</option>, <option>tty-force</option>,
++        <option>tty-fail</option>, <option>socket</option>, or <option>fd:<replaceable>name</replaceable></option>, this
++        setting defaults to <option>inherit</option>.</para>
++
++        <para>In other cases, this setting defaults to the value set with <varname>DefaultStandardOutput=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which
          defaults to <option>journal</option>. Note that setting this parameter might result in additional dependencies
          to be added to the unit (see above).</para></listitem>
@@ -3635,7 +3657,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
            <term><varname>$MONITOR_INVOCATION_ID</varname></term>
            <term><varname>$MONITOR_UNIT</varname></term>
--          <listitem><para>Only defined for the service unit type. Those environment variable are passed to
++          <listitem><para>Only defined for the service unit type. Those environment variables are passed to
            all <varname>ExecStart=</varname> and <varname>ExecStartPre=</varname> processes which run in
            services triggered by <varname>OnFailure=</varname> or <varname>OnSuccess=</varname> dependencies.
            </para>
@@ -3644,7 +3666,7 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
            and <varname>$MONITOR_EXIT_STATUS</varname> take the same values as for
            <varname>ExecStop=</varname> and <varname>ExecStopPost=</varname> processes. Variables
            <varname>$MONITOR_INVOCATION_ID</varname> and <varname>$MONITOR_UNIT</varname> are set to the
--          invocaton id and unit name of the service which triggered the dependency.</para>
++          invocation id and unit name of the service which triggered the dependency.</para>
            <para>Note that when multiple services trigger the same unit, those variables will be
            <emphasis>not</emphasis> be passed. Consider using a template handler unit for that case instead:
 diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
 index 6d21d32..0b247c1 100644
 --- a/man/systemd.mount.xml
 +++ b/man/systemd.mount.xml
@@ -155,16 +155,14 @@
    <refsect1>
      <title><filename>fstab</filename></title>
--    <para>Mount units may either be configured via unit files, or via
--    <filename>/etc/fstab</filename> (see
++    <para>Mount units may either be configured via unit files, or via <filename>/etc/fstab</filename> (see
      <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
--    for details). Mounts listed in <filename>/etc/fstab</filename>
--    will be converted into native units dynamically at boot and when
--    the configuration of the system manager is reloaded. In general,
--    configuring mount points through <filename>/etc/fstab</filename>
--    is the preferred approach. See
--    <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
--    for details about the conversion.</para>
++    for details). Mounts listed in <filename>/etc/fstab</filename> will be converted into native units
++    dynamically at boot and when the configuration of the system manager is reloaded. In general, configuring
++    mount points through <filename>/etc/fstab</filename> is the preferred approach to manage mounts for
++    humans. For tooling, writing mount units should be preferred over editing <filename>/etc/fstab</filename>.
++    See <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++    for details about the conversion from <filename>/etc/fstab</filename> to mount units.</para>
      <para>The NFS mount option <option>bg</option> for NFS background mounts
      as documented in <citerefentry project='man-pages'><refentrytitle>nfs</refentrytitle><manvolnum>5</manvolnum></citerefentry>
 diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
 index 3a776b3..b197f33 100644
 --- a/man/systemd.netdev.xml
 +++ b/man/systemd.netdev.xml
@@ -2199,7 +2199,7 @@
          <term><varname>PhysicalDevice=</varname></term>
          <listitem>
            <para>Specifies the name or index of the physical WLAN device (e.g. <literal>0</literal> or
--          <literal>phy0</literal>). The list of the physical WLAN devices that exist os the host can be
++          <literal>phy0</literal>). The list of the physical WLAN devices that exist on the host can be
            obtained by <command>iw phy</command> command. This option is mandatory.</para>
          </listitem>
        </varlistentry>
 diff --git a/man/systemd.network.xml b/man/systemd.network.xml
 index c2ce1b1..3b29905 100644
 --- a/man/systemd.network.xml
 +++ b/man/systemd.network.xml
@@ -1103,9 +1103,9 @@ Table=1234</programlisting></para>
            IGMP snooping since the switch would not replicate multicast packets on  ports that did not
            have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
            <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
--          that enables then to do the required join. By extending ip address command with option
--          <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS) vxlan
--          interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
++          that enables them to do the required join. By extending <command>ip address</command> command
++          with option <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS)
++          vxlan interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
            Defaults to <literal>no</literal>.</para>
          </listitem>
        </varlistentry>
@@ -1487,7 +1487,7 @@ Table=1234</programlisting></para>
            <para>For IPv4 route, defaults to <literal>host</literal> if <varname>Type=</varname> is
            <literal>local</literal> or <literal>nat</literal>, and <literal>link</literal> if
            <varname>Type=</varname> is <literal>broadcast</literal>, <literal>multicast</literal>,
--          <literal>anycast</literal>, or direct <literal>unicast</literal> routes. In other cases,
++          <literal>anycast</literal>, or <literal>unicast</literal>. In other cases,
            defaults to <literal>global</literal>. The value is not used for IPv6.</para>
          </listitem>
        </varlistentry>
@@ -2534,7 +2534,7 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
        <varlistentry>
          <term><varname>ServerAddress=</varname></term>
          <listitem><para>Specifies server address for the DHCP server. Takes an IPv4 address with prefix
--        length, for example <literal>192.168.0.1/24</literal>. This setting may be useful when the link on
++        length, for example 192.168.0.1/24. This setting may be useful when the link on
          which the DHCP server is running has multiple static addresses. When unset, one of static addresses
          in the link will be automatically selected. Defaults to unset.</para></listitem>
        </varlistentry>
@@ -2956,7 +2956,7 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
          <listitem><para>The IPv6 route that is to be distributed to hosts.  Similarly to configuring static
          IPv6 routes, the setting is configured as an IPv6 prefix routes and its prefix route length,
--        separated by a <literal>/</literal> character. Use multiple [IPv6PrefixRoutes] sections to configure
++        separated by a <literal>/</literal> character. Use multiple [IPv6RoutePrefix] sections to configure
          multiple IPv6 prefix routes.</para></listitem>
        </varlistentry>
 diff --git a/man/sysupdate.d.xml b/man/sysupdate.d.xml
 index 03d27b9..d57fbf0 100644
 --- a/man/sysupdate.d.xml
 +++ b/man/sysupdate.d.xml
@@ -76,7 +76,7 @@
        <listitem><para>Similarly, a file <literal>https://download.example.com/foobarOS_47.verity.xz</literal>
        should be downloaded, decompressed and written to a previously empty partition with GPT partition type
--      UUID of 2c7357ed-ebd2-46d9-aec1-23d437ec2bf5 (i.e the partition type for Verity integrity information
++      UUID of 2c7357ed-ebd2-46d9-aec1-23d437ec2bf5 (i.e. the partition type for Verity integrity information
        for x86-64 root file systems).</para></listitem>
        <listitem><para>Finally, a file <literal>https://download.example.com/foobarOS_47.efi.xz</literal> (a
@@ -117,7 +117,7 @@
      <itemizedlist>
        <listitem><para>For partitions: the surrounding GPT partition table contains a list of defined
        partitions, including a partition type UUID and a partition label (in this scheme the partition label
--      plays a role for the partition similar to the filename for a regular file)</para></listitem>
++      plays a role for the partition similar to the filename for a regular file).</para></listitem>
        <listitem><para>For regular files: the directory listing of the directory the files are contained in
        provides a list of existing files in a straightforward way.</para></listitem>
@@ -369,7 +369,7 @@
              <entry><literal>@r</literal></entry>
              <entry>Read-only flag</entry>
              <entry>Either <literal>0</literal> or <literal>1</literal></entry>
--            <entry>Controls ReadOnly bit of the GPT partition flags, as per <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions Specification</ulink> and other output read-only flags, see <varname>ReadOnly=</varname> below.</entry>
++            <entry>Controls ReadOnly bit of the GPT partition flags, as per <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions Specification</ulink> and other output read-only flags, see <varname>ReadOnly=</varname> below</entry>
            </row>
            <row>
@@ -404,14 +404,14 @@
              <entry><literal>@l</literal></entry>
              <entry>Tries left</entry>
              <entry>Formatted decimal integer</entry>
--            <entry>Useful when operating with kernel images, as per <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot Assessment</ulink></entry>
++            <entry>Useful when operating with kernel image files, as per <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot Assessment</ulink></entry>
            </row>
            <row>
              <entry><literal>@h</literal></entry>
              <entry>SHA256 hash of compressed file</entry>
              <entry>64 hexadecimal characters</entry>
--            <entry>The SHA256 hash of the compressed file; not useful for <constant>url-file</constant> or <constant>url-tar</constant> where the SHA256 hash is already included in the manifest file anyway.</entry>
++            <entry>The SHA256 hash of the compressed file; not useful for <constant>url-file</constant> or <constant>url-tar</constant> where the SHA256 hash is already included in the manifest file anyway</entry>
            </row>
          </tbody>
        </tgroup>
@@ -432,7 +432,7 @@
    <refsect1>
      <title>[Transfer] Section Options</title>
--    <para>This section defines general properties of this transfer.</para>
++    <para>This section defines general properties of this transfer:</para>
      <variablelist>
        <varlistentry>
@@ -555,8 +555,8 @@
          <listitem><para>Specifies a file system path where to look for already installed versions or place
          newly downloaded versions of this configured resource. If <varname>Type=</varname> is set to
          <constant>partition</constant>, expects a path to a (whole) block device node, or the special string
--        <literal>auto</literal> in which case the block device the root file system of the currently booted
--        system is automatically determined and used. If <varname>Type=</varname> is set to
++        <literal>auto</literal> in which case the block device which contains the root file system of the
++        currently booted system is automatically determined and used. If <varname>Type=</varname> is set to
          <constant>regular-file</constant>, <constant>directory</constant> or <constant>subvolume</constant>,
          must refer to a path in the local file system referencing the directory to find or place the version
          files or directories under.</para>
@@ -818,7 +818,7 @@ Path=https://download.example.com/
  MatchPattern=foobarOS_@v.efi.xz
  [Target]
--Type=file
++Type=regular-file
  Path=/efi/EFI/Linux
  MatchPattern=foobarOS_@v+@l-@d.efi \
               foobarOS_@v+@l.efi \
@@ -831,7 +831,7 @@ InstancesMax=2</programlisting></para>
          <para>The above installs a unified kernel image into the ESP (which is mounted to
          <filename>/efi/</filename>), as per <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot
          Loader Specification</ulink> Type #2. This defines three possible patterns for the names of the
--        kernel images images, as per <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot
++        kernel images, as per <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot
          Assessment</ulink>, and ensures when installing new kernels, they are set up with 3 tries left. No
          more than two parallel kernels are kept.</para>
 diff --git a/man/udevadm.xml b/man/udevadm.xml
 index 3a9b133..89ebfbd 100644
 --- a/man/udevadm.xml
 +++ b/man/udevadm.xml
@@ -802,7 +802,8 @@
        <para><command>udevadm lock</command> takes an (advisory) exclusive lock(s) on a block device (or
        multiple thereof), as per <ulink url="https://systemd.io/BLOCK_DEVICE_LOCKING">Locking Block Device
        Access</ulink> and invokes a program with the lock(s) taken. When the invoked program exits the lock(s)
--      are automatically released.</para>
++      are automatically released and its return value is propagated as exit code of <command>udevadm
++      lock</command>.</para>
        <para>This tool is in particular useful to ensure that
        <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 diff --git a/meson.build b/meson.build
 index 36cbfa4..dbba108 100644
 --- a/meson.build
 +++ b/meson.build
@@ -169,6 +169,7 @@ pkgsysconfdir = sysconfdir / 'systemd'
  userunitdir = prefixdir / 'lib/systemd/user'
  userpresetdir = prefixdir / 'lib/systemd/user-preset'
  tmpfilesdir = prefixdir / 'lib/tmpfiles.d'
++usertmpfilesdir = prefixdir / 'share/user-tmpfiles.d'
  sysusersdir = prefixdir / 'lib/sysusers.d'
  sysctldir = prefixdir / 'lib/sysctl.d'
  binfmtdir = prefixdir / 'lib/binfmt.d'
@@ -278,6 +279,7 @@ conf.set_quoted('SYSTEM_SYSVINIT_PATH',                       sysvinit_path)
  conf.set_quoted('SYSTEM_SYSVRCND_PATH',                       sysvrcnd_path)
  conf.set_quoted('SYSUSERS_DIR',                               sysusersdir)
  conf.set_quoted('TMPFILES_DIR',                               tmpfilesdir)
++conf.set_quoted('USER_TMPFILES_DIR',                          usertmpfilesdir)
  conf.set_quoted('UDEVLIBEXECDIR',                             udevlibexecdir)
  conf.set_quoted('UDEV_HWDB_DIR',                              udevhwdbdir)
  conf.set_quoted('UDEV_RULES_DIR',                             udevrulesdir)
@@ -479,7 +481,6 @@ decl_headers = '''
  #include <uchar.h>
  #include <sys/mount.h>
  #include <sys/stat.h>
--#include <linux/fs.h>
  '''
  foreach decl : ['char16_t',
@@ -491,6 +492,17 @@ foreach decl : ['char16_t',
          # We get -1 if the size cannot be determined
          have = cc.sizeof(decl, prefix : decl_headers, args : '-D_GNU_SOURCE') > 0
++        if decl == 'struct mount_attr'
++                if have
++                        want_linux_fs_h = false
++                else
++                        have = cc.sizeof(decl,
++                                         prefix : decl_headers + '#include <linux/fs.h>',
++                                         args : '-D_GNU_SOURCE') > 0
++                        want_linux_fs_h = have
++                endif
++        endif
++
          if decl == 'struct statx'
                  if have
                          want_linux_stat_h = false
@@ -506,6 +518,7 @@ foreach decl : ['char16_t',
  endforeach
  conf.set10('WANT_LINUX_STAT_H', want_linux_stat_h)
++conf.set10('WANT_LINUX_FS_H', want_linux_fs_h)
  foreach ident : ['secure_getenv', '__secure_getenv']
          conf.set10('HAVE_' + ident.to_upper(), cc.has_function(ident))
@@ -2171,7 +2184,7 @@ public_programs += executable(
          dependencies : [versiondep,
                          libseccomp],
          install_rpath : rootlibexecdir,
--        install : conf.get('ENABLE_ANALYZE'))
++        install : conf.get('ENABLE_ANALYZE') == 1)
  executable(
          'systemd-journald',
 diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
 index 5b4d4ca..9255f4c 100644
 --- a/src/analyze/analyze-security.c
 +++ b/src/analyze/analyze-security.c
@@ -105,7 +105,7 @@ typedef struct SecurityInfo {
          Set *system_call_architectures;
          bool system_call_filter_allow_list;
--        Hashmap *system_call_filter;
++        Set *system_call_filter;
          mode_t _umask;
  } SecurityInfo;
@@ -172,8 +172,7 @@ static SecurityInfo *security_info_free(SecurityInfo *i) {
          strv_free(i->supplementary_groups);
          set_free(i->system_call_architectures);
--
--        hashmap_free(i->system_call_filter);
++        set_free(i->system_call_filter);
          return mfree(i);
+ }
@@ -567,12 +566,10 @@ static int assess_system_call_architectures(
          return 0;
+ }
--static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
++static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
          const char *syscall;
          NULSTR_FOREACH(syscall, f->value) {
--                int id;
--
                  if (syscall[0] == '@') {
                          const SyscallFilterSet *g;
@@ -584,11 +581,10 @@ static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFi
+                 }
                  /* Let's see if the system call actually exists on this platform, before complaining */
--                id = seccomp_syscall_resolve_name(syscall);
--                if (id < 0)
++                if (seccomp_syscall_resolve_name(syscall) < 0)
                          continue;
--                if (hashmap_contains(s, syscall) != allow_list) {
++                if (set_contains(s, syscall) == allow_list) {
                          log_debug("Offending syscall filter item: %s", syscall);
                          if (ret_offending_syscall)
                                  *ret_offending_syscall = syscall;
@@ -619,7 +615,7 @@ static int assess_system_call_filter(
          uint64_t b;
          int r;
--        if (!info->system_call_filter_allow_list && hashmap_isempty(info->system_call_filter)) {
++        if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) {
                  r = free_and_strdup(&d, "Service does not filter system calls");
                  b = 10;
          } else {
@@ -2139,9 +2135,8 @@ static int property_read_system_call_filter(
                  if (r == 0)
                          break;
--                /* The actual ExecContext stores the system call id as the map value, which we don't
--                 * need. So we assign NULL to all values here. */
--                r = hashmap_put_strdup(&info->system_call_filter, name, NULL);
++                /* ignore errno or action after colon */
++                r = set_put_strndup(&info->system_call_filter, name, strchrnul(name, ':') - name);
                  if (r < 0)
                          return r;
+         }
@@ -2589,14 +2584,24 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
                          if (set_put_strdup(&info->system_call_architectures, name) < 0)
                                  return log_oom();
+                 }
--#endif
                  info->system_call_filter_allow_list = c->syscall_allow_list;
--                if (c->syscall_filter) {
--                        info->system_call_filter = hashmap_copy(c->syscall_filter);
--                        if (!info->system_call_filter)
++
++                void *id, *num;
++                HASHMAP_FOREACH_KEY(num, id, c->syscall_filter) {
++                        _cleanup_free_ char *name = NULL;
++
++                        if (info->system_call_filter_allow_list && PTR_TO_INT(num) >= 0)
++                                continue;
++
++                        name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
++                        if (!name)
++                                continue;
++
++                        if (set_ensure_consume(&info->system_call_filter, &string_hash_ops_free, TAKE_PTR(name)) < 0)
                                  return log_oom();
+                 }
++#endif
+         }
          if (g) {
 diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
 index 6c1de92..00591d6 100644
 --- a/src/basic/fd-util.c
 +++ b/src/basic/fd-util.c
@@ -3,7 +3,9 @@
  #include <errno.h>
  #include <fcntl.h>
  #include <linux/btrfs.h>
++#if WANT_LINUX_FS_H
  #include <linux/fs.h>
++#endif
  #include <linux/magic.h>
  #include <sys/ioctl.h>
  #include <sys/resource.h>
 diff --git a/src/basic/gcrypt-util.c b/src/basic/gcrypt-util.c
 index 64c63cd..41c9362 100644
 --- a/src/basic/gcrypt-util.c
 +++ b/src/basic/gcrypt-util.c
@@ -9,12 +9,14 @@ void initialize_libgcrypt(bool secmem) {
          if (gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P))
                  return;
++        gcry_control(GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM);
          assert_se(gcry_check_version("1.4.5"));
          /* Turn off "secmem". Clients which wish to make use of this
           * feature should initialize the library manually */
          if (!secmem)
                  gcry_control(GCRYCTL_DISABLE_SECMEM);
++
          gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+ }
 diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c
 index e33d6c3..62380b0 100644
 --- a/src/basic/hashmap.c
 +++ b/src/basic/hashmap.c
@@ -1842,7 +1842,7 @@ int _hashmap_put_strdup_full(Hashmap **h, const struct hash_ops *hash_ops, const
          return r;
+ }
--int _set_put_strdup_full(Set **s, const struct hash_ops *hash_ops, const char *p  HASHMAP_DEBUG_PARAMS) {
++int _set_put_strndup_full(Set **s, const struct hash_ops *hash_ops, const char *p, size_t n  HASHMAP_DEBUG_PARAMS) {
          char *c;
          int r;
@@ -1853,10 +1853,13 @@ int _set_put_strdup_full(Set **s, const struct hash_ops *hash_ops, const char *p
          if (r < 0)
                  return r;
--        if (set_contains(*s, (char*) p))
--                return 0;
++        if (n == SIZE_MAX) {
++                if (set_contains(*s, (char*) p))
++                        return 0;
--        c = strdup(p);
++                c = strdup(p);
++        } else
++                c = strndup(p, n);
          if (!c)
                  return -ENOMEM;
@@ -1869,7 +1872,7 @@ int _set_put_strdupv_full(Set **s, const struct hash_ops *hash_ops, char **l  HA
          assert(s);
          STRV_FOREACH(i, l) {
--                r = _set_put_strdup_full(s, hash_ops, *i  HASHMAP_DEBUG_PASS_ARGS);
++                r = _set_put_strndup_full(s, hash_ops, *i, SIZE_MAX  HASHMAP_DEBUG_PASS_ARGS);
                  if (r < 0)
                          return r;
 diff --git a/src/basic/missing_fs.h b/src/basic/missing_fs.h
 index 0cacd49..6638d76 100644
 --- a/src/basic/missing_fs.h
 +++ b/src/basic/missing_fs.h
@@ -64,3 +64,8 @@
  #ifndef FS_PROJINHERIT_FL
  #define FS_PROJINHERIT_FL 0x20000000
  #endif
++
++/* linux/fscrypt.h */
++#ifndef FS_KEY_DESCRIPTOR_SIZE
++#define FS_KEY_DESCRIPTOR_SIZE 8
++#endif
 diff --git a/src/basic/set.h b/src/basic/set.h
 index 243a747..52cf63e 100644
 --- a/src/basic/set.h
 +++ b/src/basic/set.h
@@ -127,9 +127,12 @@ int _set_ensure_consume(Set **s, const struct hash_ops *hash_ops, void *key  HAS
  int set_consume(Set *s, void *value);
--int _set_put_strdup_full(Set **s, const struct hash_ops *hash_ops, const char *p  HASHMAP_DEBUG_PARAMS);
--#define set_put_strdup_full(s, hash_ops, p) _set_put_strdup_full(s, hash_ops, p  HASHMAP_DEBUG_SRC_ARGS)
--#define set_put_strdup(s, p) set_put_strdup_full(s, &string_hash_ops_free, p)
++int _set_put_strndup_full(Set **s, const struct hash_ops *hash_ops, const char *p, size_t n  HASHMAP_DEBUG_PARAMS);
++#define set_put_strndup_full(s, hash_ops, p, n) _set_put_strndup_full(s, hash_ops, p, n  HASHMAP_DEBUG_SRC_ARGS)
++#define set_put_strdup_full(s, hash_ops, p) set_put_strndup_full(s, hash_ops, p, SIZE_MAX)
++#define set_put_strndup(s, p, n) set_put_strndup_full(s, &string_hash_ops_free, p, n)
++#define set_put_strdup(s, p) set_put_strndup(s, p, SIZE_MAX)
++
  int _set_put_strdupv_full(Set **s, const struct hash_ops *hash_ops, char **l  HASHMAP_DEBUG_PARAMS);
  #define set_put_strdupv_full(s, hash_ops, l) _set_put_strdupv_full(s, hash_ops, l  HASHMAP_DEBUG_SRC_ARGS)
  #define set_put_strdupv(s, l) set_put_strdupv_full(s, &string_hash_ops_free, l)
 diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c
 index 64c2f80..c31b4d8 100644
 --- a/src/basic/stat-util.c
 +++ b/src/basic/stat-util.c
@@ -35,31 +35,23 @@ int is_symlink(const char *path) {
          return !!S_ISLNK(info.st_mode);
+ }
--int is_dir(const char* path, bool follow) {
++int is_dir_full(int atfd, const char* path, bool follow) {
          struct stat st;
          int r;
--        assert(path);
++        assert(atfd >= 0 || atfd == AT_FDCWD);
++        assert(atfd >= 0 || path);
--        if (follow)
--                r = stat(path, &st);
++        if (path)
++                r = fstatat(atfd, path, &st, follow ? 0 : AT_SYMLINK_NOFOLLOW);
          else
--                r = lstat(path, &st);
++                r = fstat(atfd, &st);
          if (r < 0)
                  return -errno;
          return !!S_ISDIR(st.st_mode);
+ }
--int is_dir_fd(int fd) {
--        struct stat st;
--
--        if (fstat(fd, &st) < 0)
--                return -errno;
--
--        return !!S_ISDIR(st.st_mode);
--}
--
  int is_device_node(const char *path) {
          struct stat info;
 diff --git a/src/basic/stat-util.h b/src/basic/stat-util.h
 index 7f0b3dc..56f1553 100644
 --- a/src/basic/stat-util.h
 +++ b/src/basic/stat-util.h
@@ -13,8 +13,13 @@
  #include "missing_stat.h"
  int is_symlink(const char *path);
--int is_dir(const char *path, bool follow);
--int is_dir_fd(int fd);
++int is_dir_full(int atfd, const char *fname, bool follow);
++static inline int is_dir(const char *path, bool follow) {
++        return is_dir_full(AT_FDCWD, path, follow);
++}
++static inline int is_dir_fd(int fd) {
++        return is_dir_full(fd, NULL, false);
++}
  int is_device_node(const char *path);
  int dir_is_empty_at(int dir_fd, const char *path, bool ignore_hidden_or_backup);
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
 index c309369..0ad8de4 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
@@ -591,7 +591,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
                          t = b;
+                 }
--                n = MIN((size_t) k, l);
++                n = MIN((size_t) k, l-1);
                  l -= n;
                  p += n;
 diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c
 index 83c29bb..bfe8c02 100644
 --- a/src/basic/unit-file.c
 +++ b/src/basic/unit-file.c
@@ -695,12 +695,9 @@ static int add_names(
                                  continue;
+                         }
--                        r = set_consume(*names, TAKE_PTR(inst));
--                        if (r > 0)
--                                log_debug("Unit %s has alias %s.", unit_name, inst);
++                        r = add_name(unit_name, names, inst);
                  } else
                          r = add_name(unit_name, names, *alias);
--
                  if (r < 0)
                          return r;
+         }
 diff --git a/src/basic/virt.c b/src/basic/virt.c
 index c7ae2af..74e4ea8 100644
 --- a/src/basic/virt.c
 +++ b/src/basic/virt.c
@@ -158,6 +158,7 @@ static Virtualization detect_vm_dmi_vendor(void) {
          } dmi_vendor_table[] = {
                  { "KVM",                 VIRTUALIZATION_KVM       },
                  { "OpenStack",           VIRTUALIZATION_KVM       }, /* Detect OpenStack instance as KVM in non x86 architecture */
++                { "KubeVirt",            VIRTUALIZATION_KVM       }, /* Detect KubeVirt instance as KVM in non x86 architecture */
                  { "Amazon EC2",          VIRTUALIZATION_AMAZON    },
                  { "QEMU",                VIRTUALIZATION_QEMU      },
                  { "VMware",              VIRTUALIZATION_VMWARE    }, /* https://kb.vmware.com/s/article/1009458 */
@@ -436,18 +437,22 @@ Virtualization detect_vm(void) {
          /* We have to use the correct order here:
+          *
--         * → First, try to detect Oracle Virtualbox and Amazon EC2 Nitro, even if they use KVM, as well as Xen even if
--         *   it cloaks as Microsoft Hyper-V. Attempt to detect uml at this stage also since it runs as a user-process
--         *   nested inside other VMs. Also check for Xen now, because Xen PV mode does not override CPUID when nested
--         *   inside another hypervisor.
++         * → First, try to detect Oracle Virtualbox, Amazon EC2 Nitro, and Parallels, even if they use KVM,
++         *   as well as Xen even if it cloaks as Microsoft Hyper-V. Attempt to detect uml at this stage also
++         *   since it runs as a user-process nested inside other VMs. Also check for Xen now, because Xen PV
++         *   mode does not override CPUID when nested inside another hypervisor.
+          *
--         * → Second, try to detect from CPUID, this will report KVM for whatever software is used even if info in DMI is
--         *   overwritten.
++         * → Second, try to detect from CPUID, this will report KVM for whatever software is used even if
++         *   info in DMI is overwritten.
+          *
           * → Third, try to detect from DMI. */
          dmi = detect_vm_dmi();
--        if (IN_SET(dmi, VIRTUALIZATION_ORACLE, VIRTUALIZATION_XEN, VIRTUALIZATION_AMAZON)) {
++        if (IN_SET(dmi,
++                   VIRTUALIZATION_ORACLE,
++                   VIRTUALIZATION_XEN,
++                   VIRTUALIZATION_AMAZON,
++                   VIRTUALIZATION_PARALLELS)) {
                  v = dmi;
                  goto finish;
+         }
 diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
 index 299a01b..370ae97 100644
 --- a/src/boot/efi/meson.build
 +++ b/src/boot/efi/meson.build
@@ -200,6 +200,12 @@ efi_cflags = cc.get_supported_arguments(
          '-include', version_h,
+ ]
++# On some distros, sd-boot/-stub may trigger some bug somewhere that will cause
++# kernel execution to fail. The cause seems to be purely based on code size and
++# always compiling with at least -O1 will work around that.
++# https://github.com/systemd/systemd/issues/24202
++efi_cflags += '-O1'
++
  efi_cflags += cc.get_supported_arguments({
          'ia32':   ['-mno-sse', '-mno-mmx'],
          'x86_64': ['-mno-red-zone', '-mno-sse', '-mno-mmx'],
@@ -260,6 +266,13 @@ efi_ldflags = [
          '-z', 'nocombreloc',
          efi_crt0,
+ ]
++
++possible_link_flags = [
++        '-Wl,--no-warn-execstack',
++        '-Wl,--no-warn-rwx-segments',
++]
++efi_ldflags += cc.get_supported_link_arguments(possible_link_flags)
++
  if efi_arch[1] in ['aarch64', 'arm', 'riscv64']
          efi_ldflags += ['-shared']
          # Aarch64, ARM32 and 64bit RISC-V don't have an EFI capable objcopy.
 diff --git a/src/boot/efi/xbootldr.c b/src/boot/efi/xbootldr.c
 index 793e394..f73b5ee 100644
 --- a/src/boot/efi/xbootldr.c
 +++ b/src/boot/efi/xbootldr.c
@@ -35,7 +35,7 @@ static BOOLEAN verify_gpt(union GptHeaderBuffer *gpt_header_buffer, EFI_LBA lba_
          h = &gpt_header_buffer->gpt_header;
          /* Some superficial validation of the GPT header */
--        if (CompareMem(&h->Header.Signature, "EFI PART", sizeof(h->Header.Signature) != 0))
++        if (CompareMem(&h->Header.Signature, "EFI PART", sizeof(h->Header.Signature)) != 0)
                  return FALSE;
          if (h->Header.HeaderSize < 92 || h->Header.HeaderSize > 512)
 diff --git a/src/cgroups-agent/cgroups-agent.c b/src/cgroups-agent/cgroups-agent.c
 index 071cba3..9126736 100644
 --- a/src/cgroups-agent/cgroups-agent.c
 +++ b/src/cgroups-agent/cgroups-agent.c
@@ -16,6 +16,13 @@ int main(int argc, char *argv[]) {
          _cleanup_close_ int fd = -1;
          ssize_t n;
          size_t l;
++        int r;
++
++        r = rearrange_stdio(-1, -1, -1);
++        if (r < 0) {
++                log_error_errno(r, "Failed to connect stdin/stdout/stderr with /dev/null: %m");
++                return EXIT_FAILURE;
++        }
          if (argc != 2) {
                  log_error("Incorrect number of arguments.");
 diff --git a/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c b/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c
 index 347a3a8..6c960b8 100644
 --- a/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c
 +++ b/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c
@@ -6,7 +6,7 @@
  #include <linux/bpf.h>
  #include <bpf/bpf_helpers.h>
--const volatile __u8 is_allow_list = 0;
++const volatile __u8 is_allow_list SEC(".rodata") = 0;
  /* Map containing the network interfaces indexes.
   * The interpretation of the map depends on the value of is_allow_list.
 diff --git a/src/core/dbus.c b/src/core/dbus.c
 index 073675c..ad2230d 100644
 --- a/src/core/dbus.c
 +++ b/src/core/dbus.c
@@ -42,6 +42,7 @@
  #include "string-util.h"
  #include "strv.h"
  #include "strxcpyx.h"
++#include "umask-util.h"
  #include "user-util.h"
  #define CONNECTIONS_MAX 4096
@@ -950,7 +951,8 @@ int bus_init_private(Manager *m) {
          if (fd < 0)
                  return log_error_errno(errno, "Failed to allocate private socket: %m");
--        r = bind(fd, &sa.sa, sa_len);
++        RUN_WITH_UMASK(0077)
++                r = bind(fd, &sa.sa, sa_len);
          if (r < 0)
                  return log_error_errno(errno, "Failed to bind private socket: %m");
 diff --git a/src/core/import-creds.c b/src/core/import-creds.c
 index 8b87434..5379648 100644
 --- a/src/core/import-creds.c
 +++ b/src/core/import-creds.c
@@ -226,7 +226,7 @@ static int import_credentials_boot(void) {
                          if (nfd == -EEXIST)
                                  continue;
                          if (nfd < 0)
--                                return r;
++                                return nfd;
                          r = copy_bytes(cfd, nfd, st.st_size, 0);
                          if (r < 0) {
@@ -325,7 +325,7 @@ static int proc_cmdline_callback(const char *key, const char *value, void *data)
          if (nfd == -EEXIST)
                  return 0;
          if (nfd < 0)
--                return r;
++                return nfd;
          r = loop_write(nfd, colon, l, /* do_poll= */ false);
          if (r < 0) {
@@ -417,7 +417,7 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
                  rfd = openat(vfd, "raw", O_RDONLY|O_CLOEXEC);
                  if (rfd < 0) {
--                        log_warning_errno(r, "Failed to open '" QEMU_FWCFG_PATH "'/%s/raw, ignoring: %m", d->d_name);
++                        log_warning_errno(errno, "Failed to open '" QEMU_FWCFG_PATH "'/%s/raw, ignoring: %m", d->d_name);
                          continue;
+                 }
@@ -429,7 +429,7 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
                  if (nfd == -EEXIST)
                          continue;
                  if (nfd < 0)
--                        return r;
++                        return nfd;
                  r = copy_bytes(rfd, nfd, sz, 0);
                  if (r < 0) {
 diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
 index 3ff6eae..11991ec 100644
 --- a/src/core/load-fragment.c
 +++ b/src/core/load-fragment.c
@@ -4211,11 +4211,16 @@ int config_parse_io_device_weight(
          r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(p)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
                             "Failed to extract device path and weight from '%s', ignoring.", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                           "Invalid device path or weight specified in '%s', ignoring.", rvalue);
++                return 0;
++        }
          r = unit_path_printf(userdata, path, &resolved);
          if (r < 0) {
@@ -4280,11 +4285,16 @@ int config_parse_io_device_latency(
          r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(p)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
                             "Failed to extract device path and latency from '%s', ignoring.", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                           "Invalid device path or latency specified in '%s', ignoring.", rvalue);
++                return 0;
++        }
          r = unit_path_printf(userdata, path, &resolved);
          if (r < 0) {
@@ -4350,11 +4360,16 @@ int config_parse_io_limit(
          r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(p)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
                             "Failed to extract device node and bandwidth from '%s', ignoring.", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                           "Invalid device node or bandwidth specified in '%s', ignoring.", rvalue);
++                return 0;
++        }
          r = unit_path_printf(userdata, path, &resolved);
          if (r < 0) {
@@ -4435,11 +4450,16 @@ int config_parse_blockio_device_weight(
          r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(p)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
                             "Failed to extract device node and weight from '%s', ignoring.", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                           "Invalid device node or weight specified in '%s', ignoring.", rvalue);
++                return 0;
++        }
          r = unit_path_printf(userdata, path, &resolved);
          if (r < 0) {
@@ -4508,11 +4528,16 @@ int config_parse_blockio_bandwidth(
          r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(p)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
                             "Failed to extract device node and bandwidth from '%s', ignoring.", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                           "Invalid device node or bandwidth specified in '%s', ignoring.", rvalue);
++                return 0;
++        }
          r = unit_path_printf(userdata, path, &resolved);
          if (r < 0) {
@@ -4728,8 +4753,12 @@ int config_parse_set_credential(
          r = extract_first_word(&p, &word, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || !p) {
--                log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
++        if (r < 0) {
++                log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to extract credential name, ignoring: %s", rvalue);
++                return 0;
++        }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid syntax, ignoring: %s", rvalue);
                  return 0;
+         }
@@ -5208,7 +5237,7 @@ int config_parse_bind_paths(
                                  if (r == -ENOMEM)
                                          return log_oom();
                                  if (r < 0) {
--                                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse %s: %s", lvalue, rvalue);
++                                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse %s=, ignoring: %s", lvalue, rvalue);
                                          return 0;
+                                 }
@@ -5858,6 +5887,7 @@ int config_parse_bpf_foreign_program(
                  void *userdata) {
          _cleanup_free_ char *resolved = NULL, *word = NULL;
          CGroupContext *c = data;
++        const char *p = rvalue;
          Unit *u = userdata;
          int attach_type, r;
@@ -5872,13 +5902,17 @@ int config_parse_bpf_foreign_program(
                  return 0;
+         }
--        r = extract_first_word(&rvalue, &word, ":", 0);
++        r = extract_first_word(&p, &word, ":", 0);
          if (r == -ENOMEM)
                  return log_oom();
--        if (r <= 0 || isempty(rvalue)) {
++        if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse foreign BPF program, ignoring: %s", rvalue);
                  return 0;
+         }
++        if (r == 0 || isempty(p)) {
++                log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid syntax in %s=, ignoring: %s", lvalue, rvalue);
++                return 0;
++        }
          attach_type = bpf_cgroup_attach_type_from_string(word);
          if (attach_type < 0) {
@@ -5886,9 +5920,9 @@ int config_parse_bpf_foreign_program(
                  return 0;
+         }
--        r = unit_path_printf(u, rvalue, &resolved);
++        r = unit_path_printf(u, p, &resolved);
          if (r < 0) {
--                log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", rvalue);
++                log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %s", p, rvalue);
                  return 0;
+         }
 diff --git a/src/core/main.c b/src/core/main.c
 index 409b84a..69d450a 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
@@ -2118,11 +2118,9 @@ static int initialize_runtime(
                          write_container_id();
+                 }
--                if (arg_watchdog_device) {
--                        r = watchdog_set_device(arg_watchdog_device);
--                        if (r < 0)
--                                log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", arg_watchdog_device);
--                }
++                r = watchdog_set_device(arg_watchdog_device);
++                if (r < 0)
++                        log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", arg_watchdog_device);
          } else {
                  _cleanup_free_ char *p = NULL;
@@ -2377,8 +2375,8 @@ static void reset_arguments(void) {
          arg_reboot_watchdog = 10 * USEC_PER_MINUTE;
          arg_kexec_watchdog = 0;
          arg_pretimeout_watchdog = 0;
--        arg_early_core_pattern = NULL;
--        arg_watchdog_device = NULL;
++        arg_early_core_pattern = mfree(arg_early_core_pattern);
++        arg_watchdog_device = mfree(arg_watchdog_device);
          arg_watchdog_pretimeout_governor = mfree(arg_watchdog_pretimeout_governor);
          arg_default_environment = strv_free(arg_default_environment);
@@ -2808,6 +2806,11 @@ int main(int argc, char *argv[]) {
                  /* clear the kernel timestamp, because we are not PID 1 */
                  kernel_timestamp = DUAL_TIMESTAMP_NULL;
++                /* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
++                 * not affect the permitted and effective sets which are important for the manager itself to
++                 * operate. */
++                capability_ambient_set_apply(0, /* also_inherit= */ false);
++
                  if (mac_selinux_init() < 0) {
                          error_message = "Failed to initialize SELinux support";
                          goto finish;
 diff --git a/src/core/mount.c b/src/core/mount.c
 index 20b4bb6..029f132 100644
 --- a/src/core/mount.c
 +++ b/src/core/mount.c
@@ -1029,11 +1029,13 @@ static void mount_enter_mounting(Mount *m) {
          if (p && mount_is_bind(p)) {
                  r = mkdir_p_label(p->what, m->directory_mode);
                  /* mkdir_p_label() can return -EEXIST if the target path exists and is not a directory - which is
--                 * totally OK, in case the user wants us to overmount a non-directory inode. */
--                if (r < 0 && r != -EEXIST) {
--                        log_unit_error_errno(UNIT(m), r, "Failed to make bind mount source '%s': %m", p->what);
--                        goto fail;
--                }
++                 * totally OK, in case the user wants us to overmount a non-directory inode. Also -EROFS can be
++                 * returned on read-only filesystem. Moreover, -EACCES (and also maybe -EPERM?) may be returned
++                 * when the path is on NFS. See issue #24120. All such errors will be logged in the debug level. */
++                if (r < 0 && r != -EEXIST)
++                        log_unit_full_errno(UNIT(m),
++                                            (r == -EROFS || ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_WARNING,
++                                            r, "Failed to make bind mount source '%s', ignoring: %m", p->what);
+         }
          if (p) {
 diff --git a/src/core/namespace.c b/src/core/namespace.c
 index 926aa96..2eafe43 100644
 --- a/src/core/namespace.c
 +++ b/src/core/namespace.c
@@ -4,9 +4,12 @@
  #include <linux/loop.h>
  #include <sched.h>
  #include <stdio.h>
++#include <sys/file.h>
  #include <sys/mount.h>
  #include <unistd.h>
++#if WANT_LINUX_FS_H
  #include <linux/fs.h>
++#endif
  #include "alloc-util.h"
  #include "base-filesystem.h"
@@ -928,7 +931,7 @@ static int mount_private_dev(MountEntry *m) {
          r = label_fix_container(dev, "/dev", 0);
          if (r < 0) {
--                log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev);
++                log_debug_errno(r, "Failed to fix label of '%s' as /dev: %m", dev);
                  goto fail;
+         }
 diff --git a/src/core/scope.c b/src/core/scope.c
 index 63d3288..080bb71 100644
 --- a/src/core/scope.c
 +++ b/src/core/scope.c
@@ -392,7 +392,7 @@ static int scope_start(Unit *u) {
                  return r;
+         }
          if (r == 0) {
--                log_unit_warning(u, "No PIDs left to attach to the scope's control group, refusing: %m");
++                log_unit_warning(u, "No PIDs left to attach to the scope's control group, refusing.");
                  scope_enter_dead(s, SCOPE_FAILURE_RESOURCES);
                  return -ECHILD;

Ubuntusystemd package

Merge ~enr0n/ubuntu/+source/systemd:ubuntu-kinetic into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-kinetic

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
systemd package