“Published” doesn’t always mean “public.” You can publish something to an internal company repo, and still want to remove it in case an unscrupulous coworker ever joins and digs through your history.

Also, consider “secrets” in the “Personally Identifiable Information” sense, or the “confidential information shared to you by a third party” sense. If these are published, someone might see them; but the longer they stay published, the more people might see them, so you have an obligation to remove them.

Also, re: reusing a tag, what about having already announced a release version number, and tagging the release with it, only to find out the release is broken? It’s kind of problematic to have to bump the version again when the previous version didn’t even go out to anyone.

I would propose a slightly more relaxed rule: you shouldn’t be able to erase/overwrite a tag once there exist other tags in the repo with creation or signing timestamps newer than those of the targeted tag. So you can overwrite something you just created, but not something that’s “history.”

(An alternative to this would be if tags had nicknames or “object versions”, like in an S3 bucket. If you could have a v1.0.0 “tag” that first pointed to a static v1.0.0+1 ref, and then to a v1.0.0+2 ref, where clients don’t see the static ref tags but can still check them out using some special syntax in combination with the visible tag—and where you can revoke a static ref, but not overwrite it—that’d probably make everyone happy.)