Prior releases are available via archive.apache.org as well. See the downloads page for more information on archived releases.
You'll notice several links under the 'Latest release' section. A link to a file ending in tar.bz2, as well as a PGP/GPG signature, MD5, and SHA512 file.
The tar.bz2 file contains the Bzip2-compressed tarball with the source code.
The .asc file is a detached cryptographic signature that can be used to help verify the authenticity of the release.
The .md5 file is an MD5 hash of the release to aid in verify the validity of the release download.
The .sha file is a SHA512 hash of the release to aid in verify the validity of the release download.
