On the release thread for 4.0.2 Jeremiah brought up a point about hotfix releases and CI: https://lists.apache.org/thread/7zc22z5vw5b58hdzpx2nypwfzjzo3qbr
> If we are making this release for a security incident/data loss/hot fix > reason, then I would expect to see the related change set only containing > those patches. But the change set in the tag here the latest 4.0-dev commits. I'd like to propose that in the future, regardless of the state of CI, if we need to cut a hotfix release we do so from the previous released SHA + only the changes required to address the hotfix to minimally impact our end users and provide them with as minimally disruptive a fix as possible.
