From df81883aa571172e563e68af6fd42baa868943f6 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 15 Mar 2024 14:46:45 +0000 Subject: [PATCH] NEWS: fix typo and reword a couple of entries --- NEWS | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index a7726bbee0..e7861b3303 100644 --- a/NEWS +++ b/NEWS @@ -330,7 +330,11 @@ CHANGES WITH 256 in spe: * systemd-run is now a multi-call binary. When invoked as 'uid0', it provides as interface similar to 'sudo', with all arguments starting at the first non-option parameter being treated the command to - invoke. + invoke as root. Unlike 'sudo' and similar tools, it does not make use + of setuid binaries or other privilege escalation methods, but instead + runs the specified command as a transient unit, which is started by + the system service manager, so privileges are dropped, rather than + gained, thus implementing a much more robust and safe security model. * systemd-run gained a new option '--ignore-failure' to suppress command failures. @@ -396,14 +400,14 @@ CHANGES WITH 256 in spe: * systemd-repart gained new options --generate-fstab= and --generate-crypttab= to write the fstab and crypttab files. - * systemd-repart gained new option --private-key-source= to specify the - key for as a file, or via OpenSSL's "engine" or "provider" logic. - Configures the signing mechanism to use when creating verity - signature partitions. + * systemd-repart gained new option --private-key-source= to allow + using OpenSSL's "engines" or "providers" as the signing mechanism to + use when creating verity signature partitions. * systemd-measure gained new options --certificate=, --private-key=, - and --private-key-source= to specify the signing information for as a - path or OpenSSL engine or provider. + and --private-key-source= to allow using OpenSSL's "engines" or + "providers" as the signing mechanism to use when creating signed + TPM2 PCR measurement values. * systemd-tmpfiles gained a new option --dry-run to print what would be done without actually taking action. @@ -449,7 +453,7 @@ CHANGES WITH 256 in spe: additional metadata compared to ListSessions(). loginctl makes use of this to list additional fields in list-sessions. - * systemd-cryptenroll can now enroll directly with a public key + * systemd-cryptenroll can now enroll directly with a PKCS11 public key (instead of a certificate). * Core dumps are now retained for two weeks by default.