Thanks for starting this thread, Bryce.

I just voted -1 on the Arrow 23.0.1 RC0 thread, because this needs to be 
resolved.

There does not seem to be a permanent record of the SHA of the RC that people 
vote on. This creates an opportunity for someone to substitute a bad .tar.gz 
for the good .tar.gz at some point after the release vote has passed. My 
concerns were about apache-arrow-adbc-21 but this RC seems to have the same 
problems.

In Calcite, we include the SHA in the vote thread [3] and it is also available 
in the dist/dev tree [4]. That’s belt-and-suspenders; either would be 
sufficient.

A separate issue, less urgent but still important, is that each Arrow component 
needs a downloads page. A single place to find the .sha and .tar.gz of each 
release. The main Arrow component has a downloads page [5] but ADBC only has 
instructions to install the latest driver [6]. As an exercise, try to find the 
.src.gz and .sha of arrow-19.0.1 or arrow-adbc-20 releases. I gave up, mainly 
because archive.apache.org <http://archive.apache.org/> is glacially slow, but 
I was never sure that I was even looking in the right place.

Julian

[3] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y
[4] 
https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/
[5] https://arrow.apache.org/release/ 
[6] https://arrow.apache.org/adbc/current/driver/installation.html 

> On Feb 11, 2026, at 11:34 AM, Bryce Mecum <[email protected]> wrote:
> 
> In a recent thread on this list [1], Julian Hyde asked a question
> about ADBC release candidate provenance that I don't feel qualified to
> answer so I'm starting a new thread to get more eyeballs.
> 
> The question was,
> 
> "How can you be sure that the SHA of the RC that four people voted on?"
> 
> I'm hoping some other release managers can chime in. I wasn't aware
> that other ASF projects kept their RCs around and had assumed we don't
> keep RCs for Arrow [2] due to file size limitations. Last, the issue
> was pointed out for ADBC but I'm not sure it doesn't apply to other
> Arrow subprojects with their own source trees and releases.
> 
> Thanks,
> Bryce
> 
> [1] https://lists.apache.org/thread/1y29klotc8orvjd71p2trthlxxrvz30j
> [2] https://dist.apache.org/repos/dist/dev/arrow/

Reply via email to