So the .SP releases are a bit different to what other projects do.
In general all work except for embargoed security issues are pushed upstream first, and these are also pushed upstream once the embargo is lifted. This means that once the embargo is lifted and security patches are pushed upstream the SP releases are a strict subset of the current upstream branches.
The reason for this is that EAP does not want every commit, as it aims to provide a very stable environment so the number of changes that go into a release are limited to issues that actually affect EAP. For a commit to go into EAP it also needs to be tested and verified by the Red Hat QE, and they can only test so much.
That said I don't think there is any particular reason why we don't push the tags after embargo has been lifted, mostly just that nobody has asked for them. Really though there is no reason to use a SP release over the latest community version, as the SP releases are based on the requirements of EAP and not the community at large.
So the SP tags are not created in the open-source repositories as a rule? (and of course neither are binaries published in maven)?
Are you implying that RH is not releasing "SP" fixes in 2.0.X as open-source in the normal repos?
If that is the case, I'd like to understand fully what is the policy for releasing bug-fixes, security fixes and such. Is there any document that explains such policy? I have built stuff that right now depends on 2.0.X, as many others I guess, based in (wrong?) assumptions about the open-ness of this project.
The SP tags are done in Red Hat internal product repositories.
undertow-dev mailing list