note the problem of dependency resolution

Instead, we should converge towards *not* following upstream modules

in our git repository. Modules managed by the `Puppetfile` would *not*

be managed in our git monorepo and, instead, would be deployed by

`r10k`.

`r10k` or `g10k` (most likely the latter because of its support for

checksums).

Note that neither `r10k` or `g10k` resolve dependencies in a

`Puppetfile`. We therefore also need a tool to verify the file

correctly lists all required modules. The following solutions need to

be validated but could address that issue:

 * [generate-puppetfile](https://github.com/rnelson0/puppet-generate-puppetfile): take a `Puppetfile` and walk the

   dependency tree, generating a new `Puppetfile` (see also [this

   introduction to the project](https://rnelson0.com/2015/11/06/introducing-generate-puppetfile-or-creating-a-ruby-program-to-update-your-puppetfile-and-fixtures-yml/))

 * [Puppetfile-updater](https://github.com/camptocamp/puppetfile-updater): read the `Puppetfile` and fetch new releases

 * [ra10ke](https://github.com/voxpupuli/ra10ke): a bunch of Rake tasks to validate a `Puppetfile`

   * `r10k:syntax`: syntax check, see also `r10k puppetfile check`

   * `r10k:dependencies`: check for out of date dependencies

   * `r10k:solve_dependencies`: check for **missing** dependencies

   * `r10k:install`: wrapper around `r10k` to install with some

     caveats

   * `r10k:validate`: make sure modules are accessible

   * `r10k:duplicates`: look for duplicate declarations

 * [lp2r10k](https://github.com/dharmabruce/lp2r10k/): convert "librarian" `Puppetfile` (missing

   dependencies) into a "r10k" `Puppetfile` (with dependencies)

### Authenticate code with checksums

fix that problem and that approach comes in direct conflict with the

"collaboration" requirement. We chose the latter.

This could be implemented as a patch to `ra10ke`.

### Deploy to branch-specific environments

A key feature of r10k (and, of course, g10k) is that they are capable