For what it's worth, the sha512 (retrieved from the svn log of https://dist.apache.org/repos/dist/release/arrow/) is as follows.
Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 =================================================================== --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 (nonexistent) +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 (revision 80550) @@ -0,0 +1 @@ +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 apache-arrow-adbc-21.tar.gz > On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: > > New thread: https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 > > On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> wrote: >> >> Hi Julian, I'm going to start a new thread to discuss the RC >> provenance question. >> >> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> wrote: >>> >>> Sorry to persist. But I still don’t have a satisfactory answer to this one: >>> >>> How can you be sure that the SHA of the RC that four people voted on? >>> >>> (In Calcite, every RC is still in the dist/dev tree. E.g. >>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. >>> But I can’t find a similar archive for Arrow.) >>> >>> Julian >>> >>> >>> >>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> wrote: >>>> >>>> I’ve added some comments to that issue, so let’s continue there. >>>> >>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) have >>>> some release provenance issues to address. These include integrity of >>>> release votes, downloads pages providing links to historic releases and >>>> their hashes, and release announcements that include a permanent link to >>>> artifacts. >>>> >>>> (If I am overreacting, I apologize. My investigations are hampered by the >>>> fact that https://archive.apache.org/dist/arrow/ is timing out currently.) >>>> >>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: >>>>> >>>>> https://arrow.apache.org/adbc/current/driver/installation.html which >>>>> can be traversed to from https://arrow.apache.org. I created [1] to >>>>> address the information gaps on that page. >>>>> >>>>> https://github.com/apache/arrow-adbc/issues/3946 >>>>> >>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> >>>>> wrote: >>>>>> >>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads page only >>>>>> includes Arrow releases, so it looks as if ADBC isn’t complying with the >>>>>> policy for downloads pages: >>>>>> https://infra.apache.org/release-download-pages.html#download-page >>>>>> >>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> wrote: >>>>>>> >>>>>>> Re "checksums are linked in the vote thread”. Are any of those >>>>>>> checksums still available? The linked by the vote, >>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 >>>>>>> appears to be broken. >>>>>>> >>>>>>> To put it another way. Can you prove that the artifact you voted on had >>>>>>> hash >>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. >>>>>>> If not, we have a provenance problem. >>>>>>> >>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: >>>>>>>> >>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply the >>>>>>>> GitHub URL was the definitive location for the asset and I only linked >>>>>>>> it because I know it's the same artifact as what's uploaded to ASF and >>>>>>>> it was near at hand. I otherwise would've linked to [1]. >>>>>>>> >>>>>>>> Re: the potential policy violations, I can put up a PR to add the >>>>>>>> latest closer.lua URL to [2] which may address your first point and, >>>>>>>> for the second point, the checksums are linked in the vote thread so >>>>>>>> everything looks fine there. >>>>>>>> >>>>>>>> [1] >>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html >>>>>>>> >>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Where is the definitive location for the ADBC 21 source tarball? It >>>>>>>>> should be on ASF infrastructure, not GitHub.com <http://github.com/>. >>>>>>>>> >>>>>>>>> We may have a couple of policy violations here. The release >>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent location >>>>>>>>> for downloads. And the SHA512 for the tarball does not appear >>>>>>>>> anywhere in the vote thread for the release [2]. >>>>>>>>> >>>>>>>>> We should not be trying to construct the provenance of a release >>>>>>>>> using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM >>>>>>>>> EST*, the SHA512 checksum for that file was …" >>>>>>>>> >>>>>>>>> Julian >>>>>>>>> >>>>>>>>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>>>>>>>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>>>>>>>> >>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hey Rusty, >>>>>>>>>> >>>>>>>>>> I think the URL you shared is the source archive for the git tag and >>>>>>>>>> not the release artifact. If I remember correctly, GitHub has had >>>>>>>>>> issues with checksum stability with those URLs in the past and, while >>>>>>>>>> the situation has gotten better, we recommend only using the release >>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>> >>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Arrow Friends, >>>>>>>>>>> >>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if I’m >>>>>>>>>>> missing something obvious — but I’ve run into something odd with >>>>>>>>>>> the `apache-arrow-adbc-21.tar.gz` release artifact. >>>>>>>>>>> >>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` >>>>>>>>>>> DuckDB extension, using the following source archive: >>>>>>>>>>> >>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>>>>>>>> >>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file >>>>>>>>>>> was: >>>>>>>>>>> >>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>>>>>>>> ` >>>>>>>>>>> I know this definitively because that hash is recorded in my vcpkg >>>>>>>>>>> overlay file, and CI completed successfully at the time. >>>>>>>>>>> >>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now >>>>>>>>>>> resolves to: >>>>>>>>>>> >>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>>>>>>>> ` >>>>>>>>>>> This is currently causing reproducible CI failures on the `v1.4` >>>>>>>>>>> branch of my extension, which you can see starting here: >>>>>>>>>>> >>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>>>>>>>> >>>>>>>>>>> Did I miss an announcement, or was the release artifact rebuilt or >>>>>>>>>>> replaced after the initial publication? >>>>>>>>>>> >>>>>>>>>>> Thanks in advance for any clarification, and sorry again if this is >>>>>>>>>>> my fault. >>>>>>>>>>> >>>>>>>>>>> Best wishes, >>>>>>>>>>> >>>>>>>>>>> Rusty >>>>>>>>>>> -- >>>>>>>>>>> https://query.farm >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>> >>>
