What is the downloads page for Arrow ADBC? The Arrow downloads page only includes Arrow releases, so it looks as if ADBC isn’t complying with the policy for downloads pages: https://infra.apache.org/release-download-pages.html#download-page
> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> wrote: > > Re "checksums are linked in the vote thread”. Are any of those checksums > still available? The linked by the vote, > https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 appears > to be broken. > > To put it another way. Can you prove that the artifact you voted on had hash > 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > If not, we have a provenance problem. > >> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: >> >> Sorry for any confusion caused, Julian. I didn't mean to imply the >> GitHub URL was the definitive location for the asset and I only linked >> it because I know it's the same artifact as what's uploaded to ASF and >> it was near at hand. I otherwise would've linked to [1]. >> >> Re: the potential policy violations, I can put up a PR to add the >> latest closer.lua URL to [2] which may address your first point and, >> for the second point, the checksums are linked in the vote thread so >> everything looks fine there. >> >> [1] >> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >> [2] https://arrow.apache.org/adbc/current/driver/installation.html >> >> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> wrote: >>> >>> Where is the definitive location for the ADBC 21 source tarball? It should >>> be on ASF infrastructure, not GitHub.com <http://github.com/>. >>> >>> We may have a couple of policy violations here. The release announcement >>> for ADBC 21 [1] does not link to any permanent location for downloads. And >>> the SHA512 for the tarball does not appear anywhere in the vote thread for >>> the release [2]. >>> >>> We should not be trying to construct the provenance of a release using >>> circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM EST*, the >>> SHA512 checksum for that file was …" >>> >>> Julian >>> >>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>> >>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> wrote: >>>> >>>> Hey Rusty, >>>> >>>> I think the URL you shared is the source archive for the git tag and >>>> not the release artifact. If I remember correctly, GitHub has had >>>> issues with checksum stability with those URLs in the past and, while >>>> the situation has gotten better, we recommend only using the release >>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>> >>>> [1] >>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>> >>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> wrote: >>>>> >>>>> Hi Arrow Friends, >>>>> >>>>> Apologies in advance if this is the wrong mailing list or if I’m missing >>>>> something obvious — but I’ve run into something odd with the >>>>> `apache-arrow-adbc-21.tar.gz` release artifact. >>>>> >>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` DuckDB >>>>> extension, using the following source archive: >>>>> >>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>> >>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file was: >>>>> >>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>> ` >>>>> I know this definitively because that hash is recorded in my vcpkg >>>>> overlay file, and CI completed successfully at the time. >>>>> >>>>> Since then, however, the SHA512 checksum for the same URL now resolves to: >>>>> >>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>> ` >>>>> This is currently causing reproducible CI failures on the `v1.4` branch >>>>> of my extension, which you can see starting here: >>>>> >>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>> >>>>> Did I miss an announcement, or was the release artifact rebuilt or >>>>> replaced after the initial publication? >>>>> >>>>> Thanks in advance for any clarification, and sorry again if this is my >>>>> fault. >>>>> >>>>> Best wishes, >>>>> >>>>> Rusty >>>>> -- >>>>> https://query.farm >>>>> >>> >
