explain the pinning in tox deps config

tox.ini

@@ -20,10 +20,23 @@ passenv = TAHOE_LAFS_* PIP_* SUBUNITREPORTER_* USERPROFILE HOMEDRIVE HOMEPATH
 # available to those systems.  Installing it ahead of time (with pip) avoids
 # this problem.
 deps =
+     # Pin all of these versions for the same reason you ever want to pin
+     # anything: to prevent new releases with regressions from introducing
+     # spurious failures into CI runs for whatever development work is
+     # happening at the time.  The versions selected here are just the current
+     # versions at the time.  Bumping them to keep up with future releases is
+     # fine as long as those releases are known to actually work.
      pip==19.1.1
      setuptools==41.0.1
      wheel==0.33.4
      subunitreporter==19.3.2
+     # As an exception, we don't pin certifi because it contains CA
+     # certificates which necessarily change over time.  Pinning this is
+     # guaranteed to cause things to break eventually as old certificates
+     # expire and as new ones are used in the wild that aren't present in
+     # whatever version we pin.  Hopefully there won't be functionality
+     # regressions in new releases of this package that cause us the kind of
+     # suffering we're trying to avoid with the above pins.
      certifi
 # We add usedevelop=True for speed, and extras=test to get things like "mock"
 # that are required for our unit tests.