> If .tar.gz files under github.com/apache/arrow is causing confusion, let’s > remove them.
The original confusion was caused by GitHub's user interface and API, neither of which we can change or opt out of. Since the confusion was quickly remedied in this thread, I don't think any further changes are needed. On Thu, Feb 12, 2026 at 11:58 AM Julian Hyde <[email protected]> wrote: > > Source distributions (and more importantly, their .asc and .sha files) must > be on ASF hardware. If .tar.gz files under github.com/apache/arrow is causing > confusion, let’s remove them. > > > On Feb 11, 2026, at 5:08 PM, David Li <[email protected]> wrote: > > > > The GitHub-generated source tarball is not canonical and there is no > > guarantee of its stability from GitHub, as Bryce has pointed out. > > Unfortunately, GitHub does not provide a way to disable this to avoid > > confusion. We upload our own source tarball (as an artifact, so it remains > > stable) along with the GPG signature and SHA512 hash to the release. And I > > will embed the hash into the email as well. > > > > To wit: > > > > https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > > https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc > > https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > > > > lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz > > ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > > apache-arrow-adbc-21.tar.gz > > lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 > > ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > > apache-arrow-adbc-21.tar.gz > > lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc > > gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' > > gpg: Signature made Mon Nov 3 16:09:42 2025 JST > > gpg: using RSA key BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 > > gpg: Good signature from "David Li (CODE SIGNING KEY) > > <[email protected]>" [ultimate] > > > > On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: > >> For what it's worth, the sha512 (retrieved from the svn log of > >> https://dist.apache.org/repos/dist/release/arrow/) is as follows. > >> > >> Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >> =================================================================== > >> --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >> (nonexistent) > >> +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >> (revision 80550) > >> @@ -0,0 +1 @@ > >> +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >> apache-arrow-adbc-21.tar.gz > >> > >> > >> > >>> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: > >>> > >>> New thread: > >>> https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 > >>> > >>> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> wrote: > >>>> > >>>> Hi Julian, I'm going to start a new thread to discuss the RC > >>>> provenance question. > >>>> > >>>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> > >>>> wrote: > >>>>> > >>>>> Sorry to persist. But I still don’t have a satisfactory answer to this > >>>>> one: > >>>>> > >>>>> How can you be sure that the SHA of the RC that four people voted on? > >>>>> > >>>>> (In Calcite, every RC is still in the dist/dev tree. E.g. > >>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. > >>>>> But I can’t find a similar archive for Arrow.) > >>>>> > >>>>> Julian > >>>>> > >>>>> > >>>>> > >>>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> wrote: > >>>>>> > >>>>>> I’ve added some comments to that issue, so let’s continue there. > >>>>>> > >>>>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) > >>>>>> have some release provenance issues to address. These include > >>>>>> integrity of release votes, downloads pages providing links to > >>>>>> historic releases and their hashes, and release announcements that > >>>>>> include a permanent link to artifacts. > >>>>>> > >>>>>> (If I am overreacting, I apologize. My investigations are hampered by > >>>>>> the fact that https://archive.apache.org/dist/arrow/ is timing out > >>>>>> currently.) > >>>>>> > >>>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: > >>>>>>> > >>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html which > >>>>>>> can be traversed to from https://arrow.apache.org. I created [1] to > >>>>>>> address the information gaps on that page. > >>>>>>> > >>>>>>> https://github.com/apache/arrow-adbc/issues/3946 > >>>>>>> > >>>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads page > >>>>>>>> only includes Arrow releases, so it looks as if ADBC isn’t complying > >>>>>>>> with the policy for downloads pages: > >>>>>>>> https://infra.apache.org/release-download-pages.html#download-page > >>>>>>>> > >>>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>> Re "checksums are linked in the vote thread”. Are any of those > >>>>>>>>> checksums still available? The linked by the vote, > >>>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 > >>>>>>>>> appears to be broken. > >>>>>>>>> > >>>>>>>>> To put it another way. Can you prove that the artifact you voted on > >>>>>>>>> had hash > >>>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > >>>>>>>>> If not, we have a provenance problem. > >>>>>>>>> > >>>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> > >>>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply the > >>>>>>>>>> GitHub URL was the definitive location for the asset and I only > >>>>>>>>>> linked > >>>>>>>>>> it because I know it's the same artifact as what's uploaded to ASF > >>>>>>>>>> and > >>>>>>>>>> it was near at hand. I otherwise would've linked to [1]. > >>>>>>>>>> > >>>>>>>>>> Re: the potential policy violations, I can put up a PR to add the > >>>>>>>>>> latest closer.lua URL to [2] which may address your first point > >>>>>>>>>> and, > >>>>>>>>>> for the second point, the checksums are linked in the vote thread > >>>>>>>>>> so > >>>>>>>>>> everything looks fine there. > >>>>>>>>>> > >>>>>>>>>> [1] > >>>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html > >>>>>>>>>> > >>>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde > >>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Where is the definitive location for the ADBC 21 source tarball? > >>>>>>>>>>> It should be on ASF infrastructure, not GitHub.com > >>>>>>>>>>> <http://github.com/>. > >>>>>>>>>>> > >>>>>>>>>>> We may have a couple of policy violations here. The release > >>>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent > >>>>>>>>>>> location for downloads. And the SHA512 for the tarball does not > >>>>>>>>>>> appear anywhere in the vote thread for the release [2]. > >>>>>>>>>>> > >>>>>>>>>>> We should not be trying to construct the provenance of a release > >>>>>>>>>>> using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 > >>>>>>>>>>> AM EST*, the SHA512 checksum for that file was …" > >>>>>>>>>>> > >>>>>>>>>>> Julian > >>>>>>>>>>> > >>>>>>>>>>> [1] > >>>>>>>>>>> https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p > >>>>>>>>>>> [2] > >>>>>>>>>>> https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > >>>>>>>>>>> > >>>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hey Rusty, > >>>>>>>>>>>> > >>>>>>>>>>>> I think the URL you shared is the source archive for the git tag > >>>>>>>>>>>> and > >>>>>>>>>>>> not the release artifact. If I remember correctly, GitHub has had > >>>>>>>>>>>> issues with checksum stability with those URLs in the past and, > >>>>>>>>>>>> while > >>>>>>>>>>>> the situation has gotten better, we recommend only using the > >>>>>>>>>>>> release > >>>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. > >>>>>>>>>>>> > >>>>>>>>>>>> [1] > >>>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>> > >>>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> Hi Arrow Friends, > >>>>>>>>>>>>> > >>>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if > >>>>>>>>>>>>> I’m missing something obvious — but I’ve run into something odd > >>>>>>>>>>>>> with the `apache-arrow-adbc-21.tar.gz` release artifact. > >>>>>>>>>>>>> > >>>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` > >>>>>>>>>>>>> DuckDB extension, using the following source archive: > >>>>>>>>>>>>> > >>>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>> > >>>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that > >>>>>>>>>>>>> file was: > >>>>>>>>>>>>> > >>>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e > >>>>>>>>>>>>> ` > >>>>>>>>>>>>> I know this definitively because that hash is recorded in my > >>>>>>>>>>>>> vcpkg overlay file, and CI completed successfully at the time. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now > >>>>>>>>>>>>> resolves to: > >>>>>>>>>>>>> > >>>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b > >>>>>>>>>>>>> ` > >>>>>>>>>>>>> This is currently causing reproducible CI failures on the > >>>>>>>>>>>>> `v1.4` branch of my extension, which you can see starting here: > >>>>>>>>>>>>> > >>>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 > >>>>>>>>>>>>> > >>>>>>>>>>>>> Did I miss an announcement, or was the release artifact rebuilt > >>>>>>>>>>>>> or replaced after the initial publication? > >>>>>>>>>>>>> > >>>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if > >>>>>>>>>>>>> this is my fault. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Best wishes, > >>>>>>>>>>>>> > >>>>>>>>>>>>> Rusty > >>>>>>>>>>>>> -- > >>>>>>>>>>>>> https://query.farm > >>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>>> >
