Given that no votes have yet been cast, perhaps we can just clarify now that the hash of the RC we're voting on is:
bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 apache-arrow-23.0.1.tar.gz ...and include it in future vote threads. I believe previous updates to the distribution directories are logged and checked out (e.g., svn log https://dist.apache.org/repos/dist/dev/arrow) should there be a question on a past release). Cheers, -dewey On Wed, Feb 11, 2026 at 1:36 PM Julian Hyde <[email protected]> wrote: > -1 jhyde PMC > > I have concerns about Arrow’s release provenance that I have raised in a > recent thread [1] and have not been resolved. > > Specifically, there does not seem to be a permanent record of the SHA of > the RC that people vote on. This creates an opportunity for someone to > substitute a bad .tar.gz for the good .tar.gz at some point after the > release vote has passed. My concerns were about apache-arrow-adbc-21 but > this RC seems to have the same problems. > > In Calcite, we include the SHA in the vote thread [2] and it is also > available in the dist/dev tree [3]. That’s belt-and-suspenders; either is > sufficient. > > Sorry to be a**hole. But this needs to be resolved. > > Julian > > [1] https://lists.apache.org/thread/fvfvv4hdkp5fqn2x7wn4wcwxt63yqnq3 > [2] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y > [3] > https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/ > > > On Feb 11, 2026, at 5:30 AM, Raúl Cumplido <[email protected]> wrote: > > > > Hi, > > > > I would like to propose the following release candidate (RC0) of Apache > > Arrow version 23.0.1. This is a release consisting of 27 > > resolved GitHub issues[1]. > > > > This release candidate is based on commit: > > 82a374e5f3de5b744f26591e6cd96de6349c76d9 [2] > > > > The source release rc0 is hosted at [3]. > > The binary artifacts are hosted at [4][5][6][7][8][9]. > > The changelog is located at [10]. > > > > Please download, verify checksums and signatures, run the unit tests, > > and vote on the release. See [11] for how to validate a release > candidate. > > > > See also a verification result on GitHub pull request [12]. > > > > The vote will be open for at least 72 hours. > > > > [ ] +1 Release this as Apache Arrow 23.0.1 > > [ ] +0 > > [ ] -1 Do not release this as Apache Arrow 23.0.1 because... > > > > [1]: > https://github.com/apache/arrow/issues?q=is%3Aissue+milestone%3A23.0.1+is%3Aclosed > > [2]: > https://github.com/apache/arrow/tree/82a374e5f3de5b744f26591e6cd96de6349c76d9 > > [3]: > https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-23.0.1-rc0 > > [4]: https://packages.apache.org/artifactory/arrow/almalinux-rc/ > > [5]: https://packages.apache.org/artifactory/arrow/amazon-linux-rc/ > > [6]: https://packages.apache.org/artifactory/arrow/centos-rc/ > > [7]: https://packages.apache.org/artifactory/arrow/debian-rc/ > > [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ > > [9]: > https://github.com/apache/arrow/releases/tag/apache-arrow-23.0.1-rc0 > > [10]: > https://github.com/apache/arrow/blob/82a374e5f3de5b744f26591e6cd96de6349c76d9/CHANGELOG.md > > [11]: https://arrow.apache.org/docs/developers/release_verification.html > > [12]: https://github.com/apache/arrow/pull/49212 > >
