Really? Compare: https://github.com/apache/calcite/releases (empty) https://github.com/apache/arrow/releases (not empty)
> On Feb 12, 2026, at 12:25 PM, Bryce Mecum <[email protected]> wrote: > >> If .tar.gz files under github.com/apache/arrow is causing confusion, let’s >> remove them. > > The original confusion was caused by GitHub's user interface and API, > neither of which we can change or opt out of. Since the confusion was > quickly remedied in this thread, I don't think any further changes are > needed. > > On Thu, Feb 12, 2026 at 11:58 AM Julian Hyde <[email protected]> wrote: >> >> Source distributions (and more importantly, their .asc and .sha files) must >> be on ASF hardware. If .tar.gz files under github.com/apache/arrow is >> causing confusion, let’s remove them. >> >>> On Feb 11, 2026, at 5:08 PM, David Li <[email protected]> wrote: >>> >>> The GitHub-generated source tarball is not canonical and there is no >>> guarantee of its stability from GitHub, as Bryce has pointed out. >>> Unfortunately, GitHub does not provide a way to disable this to avoid >>> confusion. We upload our own source tarball (as an artifact, so it remains >>> stable) along with the GPG signature and SHA512 hash to the release. And I >>> will embed the hash into the email as well. >>> >>> To wit: >>> >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>> >>> lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz >>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>> apache-arrow-adbc-21.tar.gz >>> lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 >>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>> apache-arrow-adbc-21.tar.gz >>> lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc >>> gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' >>> gpg: Signature made Mon Nov 3 16:09:42 2025 JST >>> gpg: using RSA key BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 >>> gpg: Good signature from "David Li (CODE SIGNING KEY) >>> <[email protected]>" [ultimate] >>> >>> On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: >>>> For what it's worth, the sha512 (retrieved from the svn log of >>>> https://dist.apache.org/repos/dist/release/arrow/) is as follows. >>>> >>>> Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>> =================================================================== >>>> --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>> (nonexistent) >>>> +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>> (revision 80550) >>>> @@ -0,0 +1 @@ >>>> +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>>> apache-arrow-adbc-21.tar.gz >>>> >>>> >>>> >>>>> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: >>>>> >>>>> New thread: >>>>> https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 >>>>> >>>>> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> wrote: >>>>>> >>>>>> Hi Julian, I'm going to start a new thread to discuss the RC >>>>>> provenance question. >>>>>> >>>>>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> Sorry to persist. But I still don’t have a satisfactory answer to this >>>>>>> one: >>>>>>> >>>>>>> How can you be sure that the SHA of the RC that four people voted on? >>>>>>> >>>>>>> (In Calcite, every RC is still in the dist/dev tree. E.g. >>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. >>>>>>> But I can’t find a similar archive for Arrow.) >>>>>>> >>>>>>> Julian >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> wrote: >>>>>>>> >>>>>>>> I’ve added some comments to that issue, so let’s continue there. >>>>>>>> >>>>>>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) >>>>>>>> have some release provenance issues to address. These include >>>>>>>> integrity of release votes, downloads pages providing links to >>>>>>>> historic releases and their hashes, and release announcements that >>>>>>>> include a permanent link to artifacts. >>>>>>>> >>>>>>>> (If I am overreacting, I apologize. My investigations are hampered by >>>>>>>> the fact that https://archive.apache.org/dist/arrow/ is timing out >>>>>>>> currently.) >>>>>>>> >>>>>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: >>>>>>>>> >>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html which >>>>>>>>> can be traversed to from https://arrow.apache.org. I created [1] to >>>>>>>>> address the information gaps on that page. >>>>>>>>> >>>>>>>>> https://github.com/apache/arrow-adbc/issues/3946 >>>>>>>>> >>>>>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads page >>>>>>>>>> only includes Arrow releases, so it looks as if ADBC isn’t complying >>>>>>>>>> with the policy for downloads pages: >>>>>>>>>> https://infra.apache.org/release-download-pages.html#download-page >>>>>>>>>> >>>>>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Re "checksums are linked in the vote thread”. Are any of those >>>>>>>>>>> checksums still available? The linked by the vote, >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 >>>>>>>>>>> appears to be broken. >>>>>>>>>>> >>>>>>>>>>> To put it another way. Can you prove that the artifact you voted on >>>>>>>>>>> had hash >>>>>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. >>>>>>>>>>> If not, we have a provenance problem. >>>>>>>>>>> >>>>>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply the >>>>>>>>>>>> GitHub URL was the definitive location for the asset and I only >>>>>>>>>>>> linked >>>>>>>>>>>> it because I know it's the same artifact as what's uploaded to ASF >>>>>>>>>>>> and >>>>>>>>>>>> it was near at hand. I otherwise would've linked to [1]. >>>>>>>>>>>> >>>>>>>>>>>> Re: the potential policy violations, I can put up a PR to add the >>>>>>>>>>>> latest closer.lua URL to [2] which may address your first point >>>>>>>>>>>> and, >>>>>>>>>>>> for the second point, the checksums are linked in the vote thread >>>>>>>>>>>> so >>>>>>>>>>>> everything looks fine there. >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde >>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Where is the definitive location for the ADBC 21 source tarball? >>>>>>>>>>>>> It should be on ASF infrastructure, not GitHub.com >>>>>>>>>>>>> <http://github.com/>. >>>>>>>>>>>>> >>>>>>>>>>>>> We may have a couple of policy violations here. The release >>>>>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent >>>>>>>>>>>>> location for downloads. And the SHA512 for the tarball does not >>>>>>>>>>>>> appear anywhere in the vote thread for the release [2]. >>>>>>>>>>>>> >>>>>>>>>>>>> We should not be trying to construct the provenance of a release >>>>>>>>>>>>> using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 >>>>>>>>>>>>> AM EST*, the SHA512 checksum for that file was …" >>>>>>>>>>>>> >>>>>>>>>>>>> Julian >>>>>>>>>>>>> >>>>>>>>>>>>> [1] >>>>>>>>>>>>> https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>>>>>>>>>>>> [2] >>>>>>>>>>>>> https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hey Rusty, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I think the URL you shared is the source archive for the git tag >>>>>>>>>>>>>> and >>>>>>>>>>>>>> not the release artifact. If I remember correctly, GitHub has had >>>>>>>>>>>>>> issues with checksum stability with those URLs in the past and, >>>>>>>>>>>>>> while >>>>>>>>>>>>>> the situation has gotten better, we recommend only using the >>>>>>>>>>>>>> release >>>>>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] >>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Arrow Friends, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if >>>>>>>>>>>>>>> I’m missing something obvious — but I’ve run into something odd >>>>>>>>>>>>>>> with the `apache-arrow-adbc-21.tar.gz` release artifact. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` >>>>>>>>>>>>>>> DuckDB extension, using the following source archive: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that >>>>>>>>>>>>>>> file was: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>>>>>>>>>>>> ` >>>>>>>>>>>>>>> I know this definitively because that hash is recorded in my >>>>>>>>>>>>>>> vcpkg overlay file, and CI completed successfully at the time. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now >>>>>>>>>>>>>>> resolves to: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>>>>>>>>>>>> ` >>>>>>>>>>>>>>> This is currently causing reproducible CI failures on the >>>>>>>>>>>>>>> `v1.4` branch of my extension, which you can see starting here: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Did I miss an announcement, or was the release artifact rebuilt >>>>>>>>>>>>>>> or replaced after the initial publication? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if >>>>>>>>>>>>>>> this is my fault. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Best wishes, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rusty >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> https://query.farm >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>
