Add policy for requirements updates to facilitate nightly builds

[eloquence]

We are finally starting to work towards automated nightly developer builds (#8 in this repo, and associated tickets in other repos). To ensure that those builds include the correct dependencies, we must adhere to the following policy whenever a developer updates a dependency in a repository like securedrop-client:

1) Update requirements.txt in the project repository

2) Upload the updated dependencies to the FPF PyPI mirror

3) Run make requirements in this repo, to generate build-requirements.txt

4) Update build-requirements.txt in the project repository

This policy should be clarified in this repo's README. It it applies to all repositories that will be included in this nightly build process (currently securedrop-client and securedrop-proxy).

[redshiftzero]

these changes are in 3 PRs:

• https://github.com/freedomofpress/securedrop-debian-packaging/pull/56
• https://github.com/freedomofpress/securedrop-proxy/pull/37
• https://github.com/freedomofpress/securedrop-client/pull/422

[redshiftzero]

these above PRs are merged