I am very concerned that with this security release of vault, the github source was not updated at around the same time. This leaves those of us who only trust compiling from source vulnerable to the publicly announced risk while we are forced to wait for the source code release. Is this delay intentional and part of policy, or a one time anomaly? I do not think it is good security policy for an open source project.
Your concern is very understandable and we are working on this. It should be a one time anomaly.
@DrDaveD (and anyone else with the same concern) - signed tags are now available (Releases · hashicorp/vault · GitHub). We have rotated the PGP key used to sign the tags, so you may wish to grab a new key to verify. The new public key is available at Security at HashiCorp, as well as Keybase and other PGP key servers.
Great, thank you very much!