RFC: Host a copy of each release tarball under https://www.openssl.org/source/old/<version>/ as soon as it's released, rather than only when it's superseded

[Googulator]

Right now, the current point-release of each supported version of OpenSSL can be found under the URL: https://www.openssl.org/source/openssl-major.minor.patch.tar.gz - when that version is superseded, it's moved to https://www.openssl.org/source/old/major.minor/openssl-major.minor.patch.tar.gz

This presents a problem for projects trying to maintain permanent links to OpenSSL releases (e.g. live-bootstrap): the link to the main sources/ folder breaks as soon as a new point-release is produced, while the link under old/ isn't usable until then. There exists no URL that points to e.g. 3.0.12 both before and after the release of 3.0.13.

Similarly, because the latest point-release in each lineage includes the patch level in the link, it's also impossible to link to e.g. "the latest 3.0 release" in a dependable manner.

I'd propose the following scheme instead:

• As soon as a new release is produced, make it available under old/, which can then serve as a permanent link to that particular release.
• The latest release in each lineage should have a link in source/ with its full major.minor.patch version number, to maintain compatibility with existing links.
• Provide an additional link, e.g. https://www.openssl.org/source/openssl-3.3-latest.tar.gz, which always redirects to the latest point-release.
• When a lineage reaches EOL, remove its links from /source, keeping it only under /old.

[t8m]

If you try them you will find that links without old already work for old releases.

I.e., the following link still works:

https://www.openssl.org/source/openssl-3.0.1.tar.gz

So there are already permanent links. They are just without the old/ver infix.