<div dir="ltr">Hi everyone,<div><br></div><div>Because Openstack has many packages in common with the base system, eg. mariadb, memcached, but they are differently packaged and differently versioned, I don't know what the proper way to update them after Openstack installed. Some packages have larger version number in Openstack but some have smaller version numbers in Openstack, as compared to the same packages in base repo of the underlying OS. </div><div><br></div><div>Let's compare Openstack Newton with CentOS 7 and Fedora 25:</div><div><br></div><div><div><b>memcached</b><br></div><div>- Openstack Newton:  1.4.<b>33-2.el7</b></div><div>- CentOS 7: 1.4.<b>15-10.el7_3.1</b></div><div>- Fedora 25: 1.4.<b>33-1.fc25</b></div></div><div><div><b><br class="gmail-m_-2706384971477816185gmail-Apple-interchange-newline">mariadb</b><br></div><div>- Openstack Newton:  10.1.<b>18-3.el7</b></div><div>- CentOS 7: 10.1.<b>18-3.el7</b></div><div>- Fedora 25: 10.1.<b>20-1.fc25</b></div></div><div><b><br></b></div><div>That means some packages will be updated with OpenStack's versions and some with the OS destribution's versions if we enable both OpenStack's yum repos and OS' yum repos. And even worse, when they race each other, one package from one redistribution can be updated by the package from another redistribution. So, we cannot simply run "yum update all" any more, but maybe with an exception list for those common packages. </div><div><br></div><div>Why it's "bad" to update package in one redis with package from another redis? Because different redistributions are not compatible with each other in both package content and versioning scheme. Let's examine the change logs of package memcached from OpenStack and from CentOS:</div><div><br></div><div>- CentOS 7:  memcached-1.4.<b>15-10.el7_3.1</b></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">%changelog</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Mon Nov 07 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.15-10.el7_3.1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- fix vulnerabilities allowing remote code execution (CVE-2016-8704, CVE-2016-8705, CVE-2016-8706)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Mar 08 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.15-10</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- fix binding to IPv6 address (#1298603)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- enable SASL support (#1263696)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- don't allow authentication with bad SASL credentials (CVE-2013-7239)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Fri Jan 24 2014 Daniel Mach <<a href="mailto:dmach@redhat.com">dmach@redhat.com</a>> - 01.4.15-9</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Mass rebuild 2014-01-24</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Jan 14 2014 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.15-8</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- fix unbound key printing (CVE-2013-0179, CVE-2013-7290, CVE-2013-7291)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[...]</blockquote></blockquote></div><div> </div><div>- Openstack Newton:  memcached-1.4.<b>33-2.el7<br></b></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">%changelog</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Wed Nov  2 2016 Haïkel Guémar <<a href="mailto:hguemar@fedoraproject.org">hguemar@fedoraproject.org</a>> - 0:1.4.33-2</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Fix systemd service when setting limits</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Nov 01 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.33-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.33 (CVE-2016-8704, CVE-2016-8705, CVE-2016-8706)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Thu Oct 13 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.32-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.32</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Wed Sep 07 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.31-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.31</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- disable testing for now</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Fri Aug 12 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.30-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.30</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Thu Jul 14 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.29-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.29</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Jul 12 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.28-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.28</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- listen only on loopback interface by default (#1182542)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- use upstream unit file (#1350939)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- remove obsolete macros and scriptlet</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Jun 21 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.26-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.26</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Tue Feb 23 2016 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.25-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.25</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- enable SASL support (#815050)</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- remove obsolete macros</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Thu Feb 04 2016 Fedora Release Engineering <<a href="mailto:releng@fedoraproject.org">releng@fedoraproject.org</a>> - 0:1.4.17-5</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Rebuilt for <a href="https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild">https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Wed Jun 17 2015 Fedora Release Engineering <<a href="mailto:rel-eng@lists.fedoraproject.org">rel-eng@lists.fedoraproject.org</a>> - 0:1.4.17-4</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Rebuilt for <a href="https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild">https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Sun Aug 17 2014 Fedora Release Engineering <<a href="mailto:rel-eng@lists.fedoraproject.org">rel-eng@lists.fedoraproject.org</a>> - 0:1.4.17-3</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Rebuilt for <a href="https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild">https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Sat Jun 07 2014 Fedora Release Engineering <<a href="mailto:rel-eng@lists.fedoraproject.org">rel-eng@lists.fedoraproject.org</a>> - 0:1.4.17-2</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- Rebuilt for <a href="https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild">https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Wed Jan 15 2014 Miroslav Lichvar <<a href="mailto:mlichvar@redhat.com">mlichvar@redhat.com</a>> - 0:1.4.17-1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- update to 1.4.17</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">- fix building with -Werror=format-security in CFLAGS</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[...]</blockquote></blockquote><div><br></div><div>We can see the latest security update on Nov 2016 (CVE-2016-8704, CVE-2016-8705, CVE-2016-8706) appeared in both redistributions, but their version numbers are quite different: 1.4.<b>15-10.el7_3.1</b> vs. 1.4.<b>33-2.el7</b>. And clearly the change conents are quite different from each other.</div><div><br></div><div>Anyone has experience with this problem, please share your resolution!</div><div><br></div><div>Thank you in advance!</div><div><br></div><div>Regards,</div><div>Will Le</div></div>