Proposed as a Freeze Exception for 23-final by Fedora user sgallagh using the blocker tracking app because:

 Currently, upgrades of systems running FreeIPA will be broken unless they use --enablerepo=updates-testing or --distro-sync to upgrade.

Discussed at 2015-10-19 freeze exception review meeting: https://meetbot.fedoraproject.org/fedora-blocker-review/2015-10-19/f23-blocker-review.2015-10-19-16.00.html . Rejected as a freeze exception issue: firstly the use of `--distro-sync` mode by default for upgrades (which is already required, as a release blocking issue, in #1263677) should address this, and in any case, it can be sufficiently addressed with an update, as upgrades will almost always use the 'updates' repository.

(In reply to Stephen Gallagher from comment #0)
> Description of problem:
> The version of pki-core in Fedora 23's stable repositories
> (pki-core-10.2.6-7.fc23) is older than the version in the Fedora 22 stable
> repositories (pki-core-10.2.6-9.fc22). Because of this, when upgrading, DNF
> skips this package and it causes other packages (like FreeIPA) to fail to
> upgrade as well.
> 
> Version-Release number of selected component (if applicable):
> pki-core-10.2.6-7.fc23
> 
> How reproducible:
> Every time
> 
> 
> Steps to Reproduce:
> 1. Install Fedora 22 Server. Deploy FreeIPA on it.
> 2. Install dnf-plugin-system-upgrade
> 3. Run `dnf system-upgrade download --releasever=23`
> 
> Actual results:
> Skipping packages with broken dependencies:
>  freeipa-admintools                           x86_64            4.2.2-1.fc23
> fedora             55 k
>  freeipa-client                               x86_64            4.2.2-1.fc23
> fedora            193 k
>  freeipa-python                               x86_64            4.2.2-1.fc23
> fedora            1.3 M
>  freeipa-server                               x86_64            4.2.2-1.fc23
> fedora            1.3 M
>  freeipa-server-trust-ad                      x86_64            4.2.2-1.fc23
> fedora            130 k
>  tomcat                                       noarch           
> 1:8.0.26-1.fc23                               fedora             91 k
>  tomcat-lib                                   noarch           
> 1:8.0.26-1.fc23                               fedora            4.1 M
> 
> 
> 
> Expected results:
> Packages should upgrade successfully.
> 
> Additional info:
> This may become less of an issue once 'dnf system-upgrade' starts doing
> distro-sync instead of upgrade, but right now it's causing breakage.

Not sure that I understand what is going on since the latest stable version of pki-core for Fedora 23 is 'fedora-10.2.6-10.fc23' -- see https://bodhi.fedoraproject.org/updates/FEDORA-2015-cea85c052a.

Maybe the Fedora 23 repo freeze happened before Bodhi pushed 'pki-core-10.2.6-10.fc23' to stable?

Yes. This is in fact shown in Bodhi, though it's not obvious if you don't know how things work: the update's 'Status' is still listed as 'testing' (not stable), and there is a message "submitted for stable" but not a message "pushed to stable". Only updates that get a message "pushed to stable" and their status changed to 'stable' have actually been released as stable.

What will happen next, since we didn't grant this a freeze exception, is that the update will be pushed to stable soon after we sign off on F23 Final (and before it actually gets released). It will go to the 'updates' repository, making it a part of the '0-day updates' set - the set of updates that is pushed stable between sign-off and release and thus is available immediately upon release (0-day).