Changing my vote: +1 jhyde (PMC)
The hash bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 matches the .tar.gz and .sha256 files in subversion. I see now that Arrow has a practice of deleting RCs from subversion on release, and releases from subversion on the next release. It’s possible find historic artifacts but it requires use of the ’svn’ command-line. Please continue to include sha256 in the release email. Verifying releases is very difficult without it. Julian > On Feb 11, 2026, at 12:49 PM, Dewey Dunnington <[email protected]> > wrote: > > Given that no votes have yet been cast, perhaps we can just clarify now > that the hash of the RC we're voting on is: > > bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 > apache-arrow-23.0.1.tar.gz > > ...and include it in future vote threads. I believe previous updates to the > distribution directories are logged and checked out (e.g., svn log > https://dist.apache.org/repos/dist/dev/arrow) should there be a question on > a past release). > > Cheers, > > -dewey > > On Wed, Feb 11, 2026 at 1:36 PM Julian Hyde <[email protected]> wrote: > >> -1 jhyde PMC >> >> I have concerns about Arrow’s release provenance that I have raised in a >> recent thread [1] and have not been resolved. >> >> Specifically, there does not seem to be a permanent record of the SHA of >> the RC that people vote on. This creates an opportunity for someone to >> substitute a bad .tar.gz for the good .tar.gz at some point after the >> release vote has passed. My concerns were about apache-arrow-adbc-21 but >> this RC seems to have the same problems. >> >> In Calcite, we include the SHA in the vote thread [2] and it is also >> available in the dist/dev tree [3]. That’s belt-and-suspenders; either is >> sufficient. >> >> Sorry to be a**hole. But this needs to be resolved. >> >> Julian >> >> [1] https://lists.apache.org/thread/fvfvv4hdkp5fqn2x7wn4wcwxt63yqnq3 >> [2] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y >> [3] >> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/ >> >>> On Feb 11, 2026, at 5:30 AM, Raúl Cumplido <[email protected]> wrote: >>> >>> Hi, >>> >>> I would like to propose the following release candidate (RC0) of Apache >>> Arrow version 23.0.1. This is a release consisting of 27 >>> resolved GitHub issues[1]. >>> >>> This release candidate is based on commit: >>> 82a374e5f3de5b744f26591e6cd96de6349c76d9 [2] >>> >>> The source release rc0 is hosted at [3]. >>> The binary artifacts are hosted at [4][5][6][7][8][9]. >>> The changelog is located at [10]. >>> >>> Please download, verify checksums and signatures, run the unit tests, >>> and vote on the release. See [11] for how to validate a release >> candidate. >>> >>> See also a verification result on GitHub pull request [12]. >>> >>> The vote will be open for at least 72 hours. >>> >>> [ ] +1 Release this as Apache Arrow 23.0.1 >>> [ ] +0 >>> [ ] -1 Do not release this as Apache Arrow 23.0.1 because... >>> >>> [1]: >> https://github.com/apache/arrow/issues?q=is%3Aissue+milestone%3A23.0.1+is%3Aclosed >>> [2]: >> https://github.com/apache/arrow/tree/82a374e5f3de5b744f26591e6cd96de6349c76d9 >>> [3]: >> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-23.0.1-rc0 >>> [4]: https://packages.apache.org/artifactory/arrow/almalinux-rc/ >>> [5]: https://packages.apache.org/artifactory/arrow/amazon-linux-rc/ >>> [6]: https://packages.apache.org/artifactory/arrow/centos-rc/ >>> [7]: https://packages.apache.org/artifactory/arrow/debian-rc/ >>> [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ >>> [9]: >> https://github.com/apache/arrow/releases/tag/apache-arrow-23.0.1-rc0 >>> [10]: >> https://github.com/apache/arrow/blob/82a374e5f3de5b744f26591e6cd96de6349c76d9/CHANGELOG.md >>> [11]: https://arrow.apache.org/docs/developers/release_verification.html >>> [12]: https://github.com/apache/arrow/pull/49212 >> >>
