I think this could work ok, but you might run into problems with updates
if the versions shift around... but I guess as long as you re
'shrinkwrap' on updates it should work.

That's the plan, re-run shrinkwrap after each change.

We don't have any way to track
security issues for all the frozen set do we?

Not that I know of but I'll do some research.

How often do you see us updating that set? everytime the hubs rpm updates? Or just when we want
to try and roll up to latest?

Only when we add or update javascript dependencies, so I'd say on JS security issues and on new features. I think that it'll be pretty rare compared to RPM updates.

I don't think so off hand. Looks like pingou is listed as the sponsor so
when things are ready he would be the one to tell you are a go for a
staging instance(s) and all the other next steps (sops, playbooks,
nagios monitoring, etc).

Cool! Thanks.

Aurélien