Pin dependency versions

[warp]

As this discussed in the meeting today (2014-06-07), dependency versions should be pinned.

For all dependencies which adhere to ​http://semver.org/ only the MAJOR and MINOR version should be pinned, never the PATCH version. If a particular release of mediagoblin is known to work with a wider range of versions, pinning to a wide range is better.

Versions should be pinned in requirements.txt, which is convenient for users deploying using pip and virtualenv. Leave the versions in setup.py unpinned (except for minimum versions where necessary).

Verify requirements.txt for each release, and update it if necessary.

[Christopher Allan Webber]

We aren't going to get this in on time... moving to 0.8.0.

[Ben Sturmfels]

The approach I took in the 0.10.0 release was to loosely pin any dependencies only if they were causing errors (eg. celery>=3.0,<4.3.0).

Because new versions of packages are dropping Python 2 support all over the place, we also temporarily pinned an upper limit on Python 2 dependencies for this final Python 2 release (eg. PasteDeploy<=2.1.999). See #5595.

I think we're doing enough here for now, so I'm closing this ticket, but I'd be interested in your feedback.

I think the real game-changer will be continuous integration testing of the installation process and test suite in #5574. With this, we can explicitly test a set of operating systems and versions. This allows us to pin with maximum flexibility, but find out as soon as that approach breaks.