OK, you got me. I presume that GitHub creates this file automatically because there is a tag 'calcite-1.41.0’. In Calcite we have endeavored to counter the perception that there are releases on GitHub. Because, for the ASF, a release is a legal act, not merely the result of someone typing ‘git tag’ and then ‘git push’. I agree with you that it is hard to stay GitHub’s hand.
> On Feb 12, 2026, at 12:38 PM, Bryce Mecum <[email protected]> wrote: > > https://github.com/apache/calcite/archive/calcite-1.41.0.tar.gz > > On Thu, Feb 12, 2026 at 12:33 PM Julian Hyde <[email protected]> wrote: >> >> Really? Compare: >> >> https://github.com/apache/calcite/releases (empty) >> https://github.com/apache/arrow/releases (not empty) >> >> >>> On Feb 12, 2026, at 12:25 PM, Bryce Mecum <[email protected]> wrote: >>> >>>> If .tar.gz files under github.com/apache/arrow is causing confusion, let’s >>>> remove them. >>> >>> The original confusion was caused by GitHub's user interface and API, >>> neither of which we can change or opt out of. Since the confusion was >>> quickly remedied in this thread, I don't think any further changes are >>> needed. >>> >>> On Thu, Feb 12, 2026 at 11:58 AM Julian Hyde <[email protected]> wrote: >>>> >>>> Source distributions (and more importantly, their .asc and .sha files) >>>> must be on ASF hardware. If .tar.gz files under github.com/apache/arrow is >>>> causing confusion, let’s remove them. >>>> >>>>> On Feb 11, 2026, at 5:08 PM, David Li <[email protected]> wrote: >>>>> >>>>> The GitHub-generated source tarball is not canonical and there is no >>>>> guarantee of its stability from GitHub, as Bryce has pointed out. >>>>> Unfortunately, GitHub does not provide a way to disable this to avoid >>>>> confusion. We upload our own source tarball (as an artifact, so it >>>>> remains stable) along with the GPG signature and SHA512 hash to the >>>>> release. And I will embed the hash into the email as well. >>>>> >>>>> To wit: >>>>> >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>>> >>>>> lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz >>>>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>>>> apache-arrow-adbc-21.tar.gz >>>>> lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 >>>>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>>>> apache-arrow-adbc-21.tar.gz >>>>> lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc >>>>> gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' >>>>> gpg: Signature made Mon Nov 3 16:09:42 2025 JST >>>>> gpg: using RSA key BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 >>>>> gpg: Good signature from "David Li (CODE SIGNING KEY) >>>>> <[email protected]>" [ultimate] >>>>> >>>>> On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: >>>>>> For what it's worth, the sha512 (retrieved from the svn log of >>>>>> https://dist.apache.org/repos/dist/release/arrow/) is as follows. >>>>>> >>>>>> Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>>>> =================================================================== >>>>>> --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>>>> (nonexistent) >>>>>> +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 >>>>>> (revision 80550) >>>>>> @@ -0,0 +1 @@ >>>>>> +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 >>>>>> apache-arrow-adbc-21.tar.gz >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: >>>>>>> >>>>>>> New thread: >>>>>>> https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 >>>>>>> >>>>>>> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Julian, I'm going to start a new thread to discuss the RC >>>>>>>> provenance question. >>>>>>>> >>>>>>>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Sorry to persist. But I still don’t have a satisfactory answer to >>>>>>>>> this one: >>>>>>>>> >>>>>>>>> How can you be sure that the SHA of the RC that four people voted on? >>>>>>>>> >>>>>>>>> (In Calcite, every RC is still in the dist/dev tree. E.g. >>>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. >>>>>>>>> But I can’t find a similar archive for Arrow.) >>>>>>>>> >>>>>>>>> Julian >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> I’ve added some comments to that issue, so let’s continue there. >>>>>>>>>> >>>>>>>>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) >>>>>>>>>> have some release provenance issues to address. These include >>>>>>>>>> integrity of release votes, downloads pages providing links to >>>>>>>>>> historic releases and their hashes, and release announcements that >>>>>>>>>> include a permanent link to artifacts. >>>>>>>>>> >>>>>>>>>> (If I am overreacting, I apologize. My investigations are hampered >>>>>>>>>> by the fact that https://archive.apache.org/dist/arrow/ is timing >>>>>>>>>> out currently.) >>>>>>>>>> >>>>>>>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html which >>>>>>>>>>> can be traversed to from https://arrow.apache.org. I created [1] to >>>>>>>>>>> address the information gaps on that page. >>>>>>>>>>> >>>>>>>>>>> https://github.com/apache/arrow-adbc/issues/3946 >>>>>>>>>>> >>>>>>>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde >>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads >>>>>>>>>>>> page only includes Arrow releases, so it looks as if ADBC isn’t >>>>>>>>>>>> complying with the policy for downloads pages: >>>>>>>>>>>> https://infra.apache.org/release-download-pages.html#download-page >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Re "checksums are linked in the vote thread”. Are any of those >>>>>>>>>>>>> checksums still available? The linked by the vote, >>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 >>>>>>>>>>>>> appears to be broken. >>>>>>>>>>>>> >>>>>>>>>>>>> To put it another way. Can you prove that the artifact you voted >>>>>>>>>>>>> on had hash >>>>>>>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. >>>>>>>>>>>>> If not, we have a provenance problem. >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply >>>>>>>>>>>>>> the >>>>>>>>>>>>>> GitHub URL was the definitive location for the asset and I only >>>>>>>>>>>>>> linked >>>>>>>>>>>>>> it because I know it's the same artifact as what's uploaded to >>>>>>>>>>>>>> ASF and >>>>>>>>>>>>>> it was near at hand. I otherwise would've linked to [1]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Re: the potential policy violations, I can put up a PR to add the >>>>>>>>>>>>>> latest closer.lua URL to [2] which may address your first point >>>>>>>>>>>>>> and, >>>>>>>>>>>>>> for the second point, the checksums are linked in the vote >>>>>>>>>>>>>> thread so >>>>>>>>>>>>>> everything looks fine there. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] >>>>>>>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>>>> [2] >>>>>>>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde >>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Where is the definitive location for the ADBC 21 source >>>>>>>>>>>>>>> tarball? It should be on ASF infrastructure, not GitHub.com >>>>>>>>>>>>>>> <http://github.com/>. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We may have a couple of policy violations here. The release >>>>>>>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent >>>>>>>>>>>>>>> location for downloads. And the SHA512 for the tarball does not >>>>>>>>>>>>>>> appear anywhere in the vote thread for the release [2]. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We should not be trying to construct the provenance of a >>>>>>>>>>>>>>> release using circumstantial evidence such as "On *Dec 14, 2025 >>>>>>>>>>>>>>> at 7:46 AM EST*, the SHA512 checksum for that file was …" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Julian >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [1] >>>>>>>>>>>>>>> https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>>>>>>>>>>>>>> [2] >>>>>>>>>>>>>>> https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hey Rusty, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I think the URL you shared is the source archive for the git >>>>>>>>>>>>>>>> tag and >>>>>>>>>>>>>>>> not the release artifact. If I remember correctly, GitHub has >>>>>>>>>>>>>>>> had >>>>>>>>>>>>>>>> issues with checksum stability with those URLs in the past >>>>>>>>>>>>>>>> and, while >>>>>>>>>>>>>>>> the situation has gotten better, we recommend only using the >>>>>>>>>>>>>>>> release >>>>>>>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [1] >>>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover >>>>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Arrow Friends, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if >>>>>>>>>>>>>>>>> I’m missing something obvious — but I’ve run into something >>>>>>>>>>>>>>>>> odd with the `apache-arrow-adbc-21.tar.gz` release artifact. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my >>>>>>>>>>>>>>>>> `adbc_scanner` DuckDB extension, using the following source >>>>>>>>>>>>>>>>> archive: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for >>>>>>>>>>>>>>>>> that file was: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>>>>>>>>>>>>>> ` >>>>>>>>>>>>>>>>> I know this definitively because that hash is recorded in my >>>>>>>>>>>>>>>>> vcpkg overlay file, and CI completed successfully at the time. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now >>>>>>>>>>>>>>>>> resolves to: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>>>>>>>>>>>>>> ` >>>>>>>>>>>>>>>>> This is currently causing reproducible CI failures on the >>>>>>>>>>>>>>>>> `v1.4` branch of my extension, which you can see starting >>>>>>>>>>>>>>>>> here: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Did I miss an announcement, or was the release artifact >>>>>>>>>>>>>>>>> rebuilt or replaced after the initial publication? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if >>>>>>>>>>>>>>>>> this is my fault. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Best wishes, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rusty >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> https://query.farm >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>> >>
