-1 jhyde PMC I have concerns about Arrow’s release provenance that I have raised in a recent thread [1] and have not been resolved.
Specifically, there does not seem to be a permanent record of the SHA of the RC that people vote on. This creates an opportunity for someone to substitute a bad .tar.gz for the good .tar.gz at some point after the release vote has passed. My concerns were about apache-arrow-adbc-21 but this RC seems to have the same problems. In Calcite, we include the SHA in the vote thread [2] and it is also available in the dist/dev tree [3]. That’s belt-and-suspenders; either is sufficient. Sorry to be a**hole. But this needs to be resolved. Julian [1] https://lists.apache.org/thread/fvfvv4hdkp5fqn2x7wn4wcwxt63yqnq3 [2] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y [3] https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/ > On Feb 11, 2026, at 5:30 AM, Raúl Cumplido <[email protected]> wrote: > > Hi, > > I would like to propose the following release candidate (RC0) of Apache > Arrow version 23.0.1. This is a release consisting of 27 > resolved GitHub issues[1]. > > This release candidate is based on commit: > 82a374e5f3de5b744f26591e6cd96de6349c76d9 [2] > > The source release rc0 is hosted at [3]. > The binary artifacts are hosted at [4][5][6][7][8][9]. > The changelog is located at [10]. > > Please download, verify checksums and signatures, run the unit tests, > and vote on the release. See [11] for how to validate a release candidate. > > See also a verification result on GitHub pull request [12]. > > The vote will be open for at least 72 hours. > > [ ] +1 Release this as Apache Arrow 23.0.1 > [ ] +0 > [ ] -1 Do not release this as Apache Arrow 23.0.1 because... > > [1]: > https://github.com/apache/arrow/issues?q=is%3Aissue+milestone%3A23.0.1+is%3Aclosed > [2]: > https://github.com/apache/arrow/tree/82a374e5f3de5b744f26591e6cd96de6349c76d9 > [3]: https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-23.0.1-rc0 > [4]: https://packages.apache.org/artifactory/arrow/almalinux-rc/ > [5]: https://packages.apache.org/artifactory/arrow/amazon-linux-rc/ > [6]: https://packages.apache.org/artifactory/arrow/centos-rc/ > [7]: https://packages.apache.org/artifactory/arrow/debian-rc/ > [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ > [9]: https://github.com/apache/arrow/releases/tag/apache-arrow-23.0.1-rc0 > [10]: > https://github.com/apache/arrow/blob/82a374e5f3de5b744f26591e6cd96de6349c76d9/CHANGELOG.md > [11]: https://arrow.apache.org/docs/developers/release_verification.html > [12]: https://github.com/apache/arrow/pull/49212
