New thread: https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587
On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> wrote: > > Hi Julian, I'm going to start a new thread to discuss the RC > provenance question. > > On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> wrote: > > > > Sorry to persist. But I still don’t have a satisfactory answer to this one: > > > > How can you be sure that the SHA of the RC that four people voted on? > > > > (In Calcite, every RC is still in the dist/dev tree. E.g. > > https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. > > But I can’t find a similar archive for Arrow.) > > > > Julian > > > > > > > > > On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> wrote: > > > > > > I’ve added some comments to that issue, so let’s continue there. > > > > > > If other Arrow components are anything like ADBC, we (the Arrow PMC) have > > > some release provenance issues to address. These include integrity of > > > release votes, downloads pages providing links to historic releases and > > > their hashes, and release announcements that include a permanent link to > > > artifacts. > > > > > > (If I am overreacting, I apologize. My investigations are hampered by the > > > fact that https://archive.apache.org/dist/arrow/ is timing out currently.) > > > > > >> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: > > >> > > >> https://arrow.apache.org/adbc/current/driver/installation.html which > > >> can be traversed to from https://arrow.apache.org. I created [1] to > > >> address the information gaps on that page. > > >> > > >> https://github.com/apache/arrow-adbc/issues/3946 > > >> > > >> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> > > >> wrote: > > >>> > > >>> What is the downloads page for Arrow ADBC? The Arrow downloads page > > >>> only includes Arrow releases, so it looks as if ADBC isn’t complying > > >>> with the policy for downloads pages: > > >>> https://infra.apache.org/release-download-pages.html#download-page > > >>> > > >>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> > > >>>> wrote: > > >>>> > > >>>> Re "checksums are linked in the vote thread”. Are any of those > > >>>> checksums still available? The linked by the vote, > > >>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 > > >>>> appears to be broken. > > >>>> > > >>>> To put it another way. Can you prove that the artifact you voted on > > >>>> had hash > > >>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > > >>>> If not, we have a provenance problem. > > >>>> > > >>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: > > >>>>> > > >>>>> Sorry for any confusion caused, Julian. I didn't mean to imply the > > >>>>> GitHub URL was the definitive location for the asset and I only linked > > >>>>> it because I know it's the same artifact as what's uploaded to ASF and > > >>>>> it was near at hand. I otherwise would've linked to [1]. > > >>>>> > > >>>>> Re: the potential policy violations, I can put up a PR to add the > > >>>>> latest closer.lua URL to [2] which may address your first point and, > > >>>>> for the second point, the checksums are linked in the vote thread so > > >>>>> everything looks fine there. > > >>>>> > > >>>>> [1] > > >>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > > >>>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html > > >>>>> > > >>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> > > >>>>> wrote: > > >>>>>> > > >>>>>> Where is the definitive location for the ADBC 21 source tarball? It > > >>>>>> should be on ASF infrastructure, not GitHub.com <http://github.com/>. > > >>>>>> > > >>>>>> We may have a couple of policy violations here. The release > > >>>>>> announcement for ADBC 21 [1] does not link to any permanent location > > >>>>>> for downloads. And the SHA512 for the tarball does not appear > > >>>>>> anywhere in the vote thread for the release [2]. > > >>>>>> > > >>>>>> We should not be trying to construct the provenance of a release > > >>>>>> using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM > > >>>>>> EST*, the SHA512 checksum for that file was …" > > >>>>>> > > >>>>>> Julian > > >>>>>> > > >>>>>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p > > >>>>>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > > >>>>>> > > >>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> > > >>>>>>> wrote: > > >>>>>>> > > >>>>>>> Hey Rusty, > > >>>>>>> > > >>>>>>> I think the URL you shared is the source archive for the git tag and > > >>>>>>> not the release artifact. If I remember correctly, GitHub has had > > >>>>>>> issues with checksum stability with those URLs in the past and, > > >>>>>>> while > > >>>>>>> the situation has gotten better, we recommend only using the release > > >>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. > > >>>>>>> > > >>>>>>> [1] > > >>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > > >>>>>>> > > >>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> > > >>>>>>> wrote: > > >>>>>>>> > > >>>>>>>> Hi Arrow Friends, > > >>>>>>>> > > >>>>>>>> Apologies in advance if this is the wrong mailing list or if I’m > > >>>>>>>> missing something obvious — but I’ve run into something odd with > > >>>>>>>> the `apache-arrow-adbc-21.tar.gz` release artifact. > > >>>>>>>> > > >>>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` > > >>>>>>>> DuckDB extension, using the following source archive: > > >>>>>>>> > > >>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz > > >>>>>>>> > > >>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that > > >>>>>>>> file was: > > >>>>>>>> > > >>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e > > >>>>>>>> ` > > >>>>>>>> I know this definitively because that hash is recorded in my vcpkg > > >>>>>>>> overlay file, and CI completed successfully at the time. > > >>>>>>>> > > >>>>>>>> Since then, however, the SHA512 checksum for the same URL now > > >>>>>>>> resolves to: > > >>>>>>>> > > >>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b > > >>>>>>>> ` > > >>>>>>>> This is currently causing reproducible CI failures on the `v1.4` > > >>>>>>>> branch of my extension, which you can see starting here: > > >>>>>>>> > > >>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 > > >>>>>>>> > > >>>>>>>> Did I miss an announcement, or was the release artifact rebuilt or > > >>>>>>>> replaced after the initial publication? > > >>>>>>>> > > >>>>>>>> Thanks in advance for any clarification, and sorry again if this > > >>>>>>>> is my fault. > > >>>>>>>> > > >>>>>>>> Best wishes, > > >>>>>>>> > > >>>>>>>> Rusty > > >>>>>>>> -- > > >>>>>>>> https://query.farm > > >>>>>>>> > > >>>>>> > > >>>> > > >>> > > > > >
