Currently ROR download links are provided only on request, after submission via ROR website. Most of them will be hosted on AWS and the links expire after some time. Why not provide direct download links with a)latest version for specific ES version b)specific ROR version for specific ES version? I know that Simone does not recommend using outdated versions, but if I have done my testing in DEV region with some specific version, I would definitely want to install the same version in my SIT/UAT/PROD, rather than just pulling the latest version everytime.
Given how frequent the fixes come in and this change has to be deployed in multiple servers, I am planning to build some scripts that can automate the part of downloading the latest version, remove old version and install the new version of ROR. This will be partially useful during first time install as most of the work will be on setting up ROR config files. But subsequent updates, in majority of the cases, will just involve updating ROR version with no changes to config files. So I feel that having these fixed download links is going to be useful. The way that I plan to do it is look for files locally first. If not available, then download.
BTW, just FYI, these kind of direct download links are available for both XPack and Searchguard. XPack provides it on their website, where as SG has it hosted on maven repo.