Pin dependency versions
As this discussed in the meeting today (2014-06-07), dependency versions should be pinned.
For all dependencies which adhere to http://semver.org/ only the MAJOR and MINOR version should be pinned, never the PATCH version. If a particular release of mediagoblin is known to work with a wider range of versions, pinning to a wide range is better.
Versions should be pinned in requirements.txt, which is convenient for users deploying using pip and virtualenv. Leave the versions in setup.py unpinned (except for minimum versions where necessary).
Verify requirements.txt for each release, and update it if necessary.