Updating dependencies on stable branches makes for a moving target, and further destabilizes testing on releases which have a hard time getting maintainers to keep their testing viable at all. We don't recommend running our stable branch source with the exact source code represented by the dependencies we froze at the time of release. It's expected they will be run within the scope of distributions which separately keep track of and patch security vulnerabilities in their contemporary forks of our dependencies as a small part of the overall running system. -- Jeremy Stanley
It's sounding like we have two target audiences that have conflicting needs. This makes a lot of sense for distros, and I think for the most part, our policies so far have been in keeping with the needs of distro maintainers. It's also less burden on upstream requirements management, which I think is very important. The second group of folks are the deployment tools that are part of the community that attempt to use pure upstream source as much as possible to deploy stable versions of OpenStack services. My impressions is, due to lack of understanding (due to lack of communication (due to lack of knowing there was a need for communication)), most of these deployment projects expected the defined requirements and constraints to be maintained and accurate to get a decent installation of a given project. I have no suggests for how to improve this, but I thought it worth pointing out the issue. Sean