The install dependencies come from the pip freeze generated requirements file requirements/production.txt. I updated it a few weeks ago to reflect the current releases of all of the dependencies, but obviously pytz and six have done releases since then.
Textile is a little more complicated. It's 2.1.5 release (and probably earlier ones) uses Unicode literals in a couple of places. That's okay for Python 2.6 and 2.7, but not for 3.2. (And just to add to the fun it's okay again for Python 3.3). Ryan ran textile-2.1.4 through 2to3 to create textile-2.1.4-py3k and that's what gets installed if you install Blogofile under Python 3.2. For consistency we install textile-2.1.4 for Python 2.6 & 2.7. I'd send a pull request to six-ify textile-2.1.5 upstream, but the GitHub repo linked from PyPI has disappeared.
As to whether pinning the dependencies is overly cautious, I don't know. I do it on most of the projects I work on because I've been burned in the past by breaking changes in packages several layers down in the dependency chain. I welcome opinions on whether or not the dependencies for Blogofile should be pinned, and I'll give the matter some more thought before the 0.8 final release.