diff --git a/.github/pull_request_template.md.disabled b/.github/pull_request_template.md.disabled
new file mode 100644
index 0000000000000..a1333460afd09
--- /dev/null
+++ b/.github/pull_request_template.md.disabled
@@ -0,0 +1,5 @@
+# CODE FREEZE NOTICE
+
+An -rc1 tag has been created and a release is being prepared, so please note that
+PRs introducing new features and APIs will be held back until the new version
+has been released.
diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt
index c97c178a5b497..5bc9cbef8ebb2 100644
--- a/.github/workflows/requirements.txt
+++ b/.github/workflows/requirements.txt
@@ -1,6 +1,6 @@
-meson==0.62.2 \
-    --hash=sha256:a7669e4c4110b06b743d57cc5d6432591a6677ef2402139fe4f3d42ac13380b0 \
-    --hash=sha256:c245d2b39e1ce1d1968e0b7067771fd02ca1bade1990adb3cf4088375ba188c9
+meson==0.63.0 \
+    --hash=sha256:399f2ca3181ef257fe3adb2deaff46bc19435cb8b1e883f26db831ce32139820 \
+    --hash=sha256:3b51d451744c2bc71838524ec8d96cd4f8c4793d5b8d5d0d0a9c8a4f7c94cd6f
 ninja==1.10.2.3 \
     --hash=sha256:0560eea57199e41e86ac2c1af0108b63ae77c3ca4d05a9425a750e908135935a \
     --hash=sha256:21a1d84d4c7df5881bfd86c25cce4cf7af44ba2b8b255c57bc1c434ec30a2dfc \
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index acbfa8e5bb3e4..0d48047f9a8bd 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -13,6 +13,8 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 4. Update hwdb (`ninja -C build update-hwdb`, `ninja -C build update-hwdb-autosuspend`, commit separately).
 5. Update syscall numbers (`ninja -C build update-syscall-tables update-syscall-header`).
 6. [RC1] Update version and library numbers in `meson.build`
+6. [RC1] Rename `.github/pull_request_template.md.disabled` to `.github/pull_request_template.md` to display the warning about soft-freeze for new features
+6. [FINAL] Rename `.github/pull_request_template.md` to `.github/pull_request_template.md.disabled` to hide the warning about soft-freeze for new features
 7. Check dbus docs with `ninja -C build update-dbus-docs`
 8. Tag the release: `version=vXXX-rcY && git tag -s "${version}" -m "systemd ${version}"`
 9. Do `ninja -C build`
diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf
index 9a6af70b93989..04deeb2262e16 100644
--- a/src/portable/profile/trusted/service.conf
+++ b/src/portable/profile/trusted/service.conf
@@ -1,7 +1,8 @@
-# The "trusted" profile for services, i.e. no restrictions are applied
+# The "trusted" profile for services, i.e. no restrictions are applied apart from a private /tmp
 
 [Service]
 MountAPIVFS=yes
+PrivateTmp=yes
 BindPaths=/run
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf