Hi Matthew,
2. add a new file, let's call it 'security-updates.txt'
maybe better call it updates-for-known-insecure-versions.txt ;-)
b. the file needs to maintain co-installability of openstack. It is laid over the upper-constraints file and tested the same way upper-constraints is. This testing is NOT perfect. The generated file could be called something like 'somewhat-tested-secureconstraints.txt'
coinstallability is a problem, but I think its not the main one. But I agree we can try that.
This also sets up incrased work and scope for the requirements team. Perhaps this could be a sub team type of item or something?
Allowing for additions there doesn't immediately increase work. unless there is somebody actually proposing a change to review, that is. It doesn"t make the team magically fulfill the promise - the policy change would allow the review team to accept such a review as it is within policy.