Override paccache.service ExecStart= with a drop-in instead of replacing the whole service

The ExecStart= in paccache.service is currently overridden by replacing the whole service. This means that all the hardening implemented in the upstream service file is not used.

For this reason we should override ExecStart= with a drop-in file, so all the upstream hardening is used.

I have opened a upstream issue (pacman/pacman-contrib#133 (closed)) requesting a better way for passing extra arguments to the paccache service, but we may not want to wait for this.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Override paccache.service ExecStart= with a drop-in instead of replacing the whole service