Thanks for starting this thread, Bryce. I just voted -1 on the Arrow 23.0.1 RC0 thread, because this needs to be resolved.
There does not seem to be a permanent record of the SHA of the RC that people vote on. This creates an opportunity for someone to substitute a bad .tar.gz for the good .tar.gz at some point after the release vote has passed. My concerns were about apache-arrow-adbc-21 but this RC seems to have the same problems. In Calcite, we include the SHA in the vote thread [3] and it is also available in the dist/dev tree [4]. That’s belt-and-suspenders; either would be sufficient. A separate issue, less urgent but still important, is that each Arrow component needs a downloads page. A single place to find the .sha and .tar.gz of each release. The main Arrow component has a downloads page [5] but ADBC only has instructions to install the latest driver [6]. As an exercise, try to find the .src.gz and .sha of arrow-19.0.1 or arrow-adbc-20 releases. I gave up, mainly because archive.apache.org <http://archive.apache.org/> is glacially slow, but I was never sure that I was even looking in the right place. Julian [3] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y [4] https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/ [5] https://arrow.apache.org/release/ [6] https://arrow.apache.org/adbc/current/driver/installation.html > On Feb 11, 2026, at 11:34 AM, Bryce Mecum <[email protected]> wrote: > > In a recent thread on this list [1], Julian Hyde asked a question > about ADBC release candidate provenance that I don't feel qualified to > answer so I'm starting a new thread to get more eyeballs. > > The question was, > > "How can you be sure that the SHA of the RC that four people voted on?" > > I'm hoping some other release managers can chime in. I wasn't aware > that other ASF projects kept their RCs around and had assumed we don't > keep RCs for Arrow [2] due to file size limitations. Last, the issue > was pointed out for ADBC but I'm not sure it doesn't apply to other > Arrow subprojects with their own source trees and releases. > > Thanks, > Bryce > > [1] https://lists.apache.org/thread/1y29klotc8orvjd71p2trthlxxrvz30j > [2] https://dist.apache.org/repos/dist/dev/arrow/
