(I am still getting up to speed on simrel rules and operations, debugging the plugin version in the Neon M4 release was a great way to learn all about it, but do forgive me if I have the wrong end of the stick)
Quick follow up brought to my attention by conversation on cross project [1]
From [2]:
> We could use the non-composite repo next time but we still should double check the plugin version because the CDT plugins could end up coming from other update sites with wrong versions (projects that depend on CDT).
It seems to be a requirement going forward, not an option, that the plug-in versions are specified in a way that the M4 mixup cannot happen going forward. I don't know if CDT specify the version in an absolute way if that completely prevents the problem of the wrong version (David Williams says the locked versions achieve 80% of the solution[3])
> [added 12/2015, for Neon] While part of the mechanics of contributing to the build, it is required that any contribution to the Simultaneous Release repository be done by a unique change to the b3aggrcon file. There are two ways to do this. First, your contribution repository can point to a simple repository where you know for sure there is only one version of your contribution available. Second, your contribution repository can be a composite repository but then you name exactly which versions to include. That is you need to specify all 4 version fields. You can, of course, do both methods, simple repository and name exact versions if you want the safety of that redundancy.