Systemd v259 has been released, delivering one of the most wide-ranging updates in recent cycles while preparing users and distributions for more disruptive changes planned for v260.
Support for legacy System V init scripts has been formally deprecated and scheduled for complete removal in systemd v260. Components such as systemd-sysv-generator and systemd-sysv-install are now on borrowed time, and projects still relying on SysV scripts are explicitly urged to migrate to native systemd units.
Alongside this, systemd has published its intent to raise minimum dependency requirements in v260, including Linux kernel 5.10, glibc 2.34, OpenSSL 3.0, and Python 3.9.
On top of that, several incompatible changes take effect immediately in v259. The systemd journal now defaults to persistent storage rather than automatically choosing based on the presence of /var/log/journal, making log retention predictable out of the box.
On the resource-management side, cgroup v2 is now mounted with HugeTLB accounting enabled, meaning huge page usage is included in overall memory limits. Networking has also crossed a line, with systemd-networkd and systemd-nspawn dropping support for iptables entirely and relying exclusively on nftables.
Security hardening continues across multiple components. systemd-boot and systemd-stub no longer support TPM 1.2, retaining only TPM 2.0, which systemd developers consider the only viable option in 2025. Image dissection now enforces VFAT for XBOOTLDR partitions, matching ESP behavior and preventing complex filesystems from being mounted in firmware-accessible locations.
In systemd-repart, LUKS volume labels are now prefixed with “luks-” by default to avoid device label collisions, with new options available for explicit control.
Varlink IPC sees significant expansion in this release. The service manager now exposes execution settings, new filtering capabilities, and additional Varlink calls, such as Reload and Reexecute, bringing feature parity with D-Bus. systemd-repart, systemd-resolved, systemd-machined, and systemd-creds all gain new or expanded Varlink APIs, reflecting a broader shift toward Varlink as a first-class interface across the project.
Regarding container and virtualization, systemd-vmspawn and systemd-nspawn add new options for user and group binding, network namespace paths, improved device identification, and better integration with per-user instances of systemd-machined. systemd-machined itself can now run as a user service and resolve container and VM names locally, while systemd-importd completes its migration from GNU tar to libarchive.
TPM2 infrastructure receives some of the most technically significant work in v259. The introduction of so-called NvPCRs addresses the scarcity of traditional PCRs, allowing more measurements without destabilizing existing trust chains. New services measure hardware and product identity, TPM bindings are extended throughout the stack, and systemd-analyze gains tooling to inspect both classic PCRs and the new NvPCRs.
At the dependency level, systemd continues to reduce hard linkages. Linux audit, PAM, libseccomp, libselinux, libmount, libacl, and other libraries are now loaded via dlopen where possible, shrinking dependency trees and improving container behavior. systemd no longer links against libcap at all, having reimplemented the required functionality internally.
Finally, experimental support for building systemd against musl libc is also introduced, with explicit warnings about limitations and no guarantee of long-term support.
For more information, see the changelog.
