The GitHub-generated source tarball is not canonical and there is no guarantee of its stability from GitHub, as Bryce has pointed out. Unfortunately, GitHub does not provide a way to disable this to avoid confusion. We upload our own source tarball (as an artifact, so it remains stable) along with the GPG signature and SHA512 hash to the release. And I will embed the hash into the email as well.
To wit: https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 apache-arrow-adbc-21.tar.gz lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 apache-arrow-adbc-21.tar.gz lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' gpg: Signature made Mon Nov 3 16:09:42 2025 JST gpg: using RSA key BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 gpg: Good signature from "David Li (CODE SIGNING KEY) <[email protected]>" [ultimate] On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: > For what it's worth, the sha512 (retrieved from the svn log of > https://dist.apache.org/repos/dist/release/arrow/) is as follows. > > Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > =================================================================== > --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > (nonexistent) > +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > (revision 80550) > @@ -0,0 +1 @@ > +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > > apache-arrow-adbc-21.tar.gz > > > >> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: >> >> New thread: https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 >> >> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> wrote: >>> >>> Hi Julian, I'm going to start a new thread to discuss the RC >>> provenance question. >>> >>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> wrote: >>>> >>>> Sorry to persist. But I still don’t have a satisfactory answer to this one: >>>> >>>> How can you be sure that the SHA of the RC that four people voted on? >>>> >>>> (In Calcite, every RC is still in the dist/dev tree. E.g. >>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. >>>> But I can’t find a similar archive for Arrow.) >>>> >>>> Julian >>>> >>>> >>>> >>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> wrote: >>>>> >>>>> I’ve added some comments to that issue, so let’s continue there. >>>>> >>>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) have >>>>> some release provenance issues to address. These include integrity of >>>>> release votes, downloads pages providing links to historic releases and >>>>> their hashes, and release announcements that include a permanent link to >>>>> artifacts. >>>>> >>>>> (If I am overreacting, I apologize. My investigations are hampered by the >>>>> fact that https://archive.apache.org/dist/arrow/ is timing out currently.) >>>>> >>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: >>>>>> >>>>>> https://arrow.apache.org/adbc/current/driver/installation.html which >>>>>> can be traversed to from https://arrow.apache.org. I created [1] to >>>>>> address the information gaps on that page. >>>>>> >>>>>> https://github.com/apache/arrow-adbc/issues/3946 >>>>>> >>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads page >>>>>>> only includes Arrow releases, so it looks as if ADBC isn’t complying >>>>>>> with the policy for downloads pages: >>>>>>> https://infra.apache.org/release-download-pages.html#download-page >>>>>>> >>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Re "checksums are linked in the vote thread”. Are any of those >>>>>>>> checksums still available? The linked by the vote, >>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 >>>>>>>> appears to be broken. >>>>>>>> >>>>>>>> To put it another way. Can you prove that the artifact you voted on >>>>>>>> had hash >>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. >>>>>>>> If not, we have a provenance problem. >>>>>>>> >>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply the >>>>>>>>> GitHub URL was the definitive location for the asset and I only linked >>>>>>>>> it because I know it's the same artifact as what's uploaded to ASF and >>>>>>>>> it was near at hand. I otherwise would've linked to [1]. >>>>>>>>> >>>>>>>>> Re: the potential policy violations, I can put up a PR to add the >>>>>>>>> latest closer.lua URL to [2] which may address your first point and, >>>>>>>>> for the second point, the checksums are linked in the vote thread so >>>>>>>>> everything looks fine there. >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html >>>>>>>>> >>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Where is the definitive location for the ADBC 21 source tarball? It >>>>>>>>>> should be on ASF infrastructure, not GitHub.com <http://github.com/>. >>>>>>>>>> >>>>>>>>>> We may have a couple of policy violations here. The release >>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent location >>>>>>>>>> for downloads. And the SHA512 for the tarball does not appear >>>>>>>>>> anywhere in the vote thread for the release [2]. >>>>>>>>>> >>>>>>>>>> We should not be trying to construct the provenance of a release >>>>>>>>>> using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM >>>>>>>>>> EST*, the SHA512 checksum for that file was …" >>>>>>>>>> >>>>>>>>>> Julian >>>>>>>>>> >>>>>>>>>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>>>>>>>>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>>>>>>>>> >>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hey Rusty, >>>>>>>>>>> >>>>>>>>>>> I think the URL you shared is the source archive for the git tag and >>>>>>>>>>> not the release artifact. If I remember correctly, GitHub has had >>>>>>>>>>> issues with checksum stability with those URLs in the past and, >>>>>>>>>>> while >>>>>>>>>>> the situation has gotten better, we recommend only using the release >>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>>> >>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Arrow Friends, >>>>>>>>>>>> >>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if I’m >>>>>>>>>>>> missing something obvious — but I’ve run into something odd with >>>>>>>>>>>> the `apache-arrow-adbc-21.tar.gz` release artifact. >>>>>>>>>>>> >>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` >>>>>>>>>>>> DuckDB extension, using the following source archive: >>>>>>>>>>>> >>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>> >>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that >>>>>>>>>>>> file was: >>>>>>>>>>>> >>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>>>>>>>>> ` >>>>>>>>>>>> I know this definitively because that hash is recorded in my vcpkg >>>>>>>>>>>> overlay file, and CI completed successfully at the time. >>>>>>>>>>>> >>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now >>>>>>>>>>>> resolves to: >>>>>>>>>>>> >>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>>>>>>>>> ` >>>>>>>>>>>> This is currently causing reproducible CI failures on the `v1.4` >>>>>>>>>>>> branch of my extension, which you can see starting here: >>>>>>>>>>>> >>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>>>>>>>>> >>>>>>>>>>>> Did I miss an announcement, or was the release artifact rebuilt or >>>>>>>>>>>> replaced after the initial publication? >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if this >>>>>>>>>>>> is my fault. >>>>>>>>>>>> >>>>>>>>>>>> Best wishes, >>>>>>>>>>>> >>>>>>>>>>>> Rusty >>>>>>>>>>>> -- >>>>>>>>>>>> https://query.farm >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>>
