Thanks Julian for raising your concerns and thanks for the prompt response.
I will add the checksum to the next release vote threads as part of the email. Bryce has already opened an issue to automatically add it to the generated email [1]. Regards, Raúl [1] https://github.com/apache/arrow/issues/49248 El jue, 12 feb 2026 a las 11:12, Raúl Cumplido (<[email protected]>) escribió: > > +1 (binding) > > I've verified the following: > TEST_DEFAULT=0 TEST_SOURCE=1 TEST_SOURCE_REPRODUCIBLE=1 > TEST_INTEGRATION=0 ./dev/release/verify-release-candidate.sh 23.0.1 0 > TEST_DEFAULT=0 TEST_SOURCE=0 TEST_INTEGRATION=1 > ./dev/release/verify-release-candidate.sh 23.0.1 0 > TEST_DEFAULT=0 TEST_BINARY=1 ./dev/release/verify-release-candidate.sh 23.0.1 > 0 > USE_CONDA=1 TEST_DEFAULT=0 TEST_WHEELS=1 > dev/release/verify-release-candidate.sh 23.0.1 0 > TEST_DEFAULT=0 TEST_APT=1 dev/release/verify-release-candidate.sh 23.0.1 0 > TEST_DEFAULT=0 TEST_YUM=1 dev/release/verify-release-candidate.sh 23.0.1 0 > > Tested on Debian Forky 14. > > A non-blocker issue identified on 23.0.0 verification also appears on > 23.0.1. If we build with both tests and integration enabled the > integration tests fail. > The issue can be found here [1], has been solved and will be included > in 24.0.0. As it was a non-blocker for 23.0.0 I consider it a > non-blocker for 23.0.1 too. > > Regards, > Raúl > > [1] https://github.com/apache/arrow/issues/48862 > > El jue, 12 feb 2026 a las 4:58, Ruoxi Sun (<[email protected]>) escribió: > > > > +1 (binding) > > > > On my M1 Mac, macOS Sequoia Version 15.7.3 (24G419), Apple clang version > > 17.0.0 (clang-1700.6.3.2), verified cpp: > > > > TEST_DEFAULT=0 TEST_CPP=1 ./verify-release-candidate.sh 23.0.1 0 > > > > Hash bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 is > > matching previous votes. > > > > *Regards,* > > *Rossi SUN* > > > > > > On Thu, Feb 12, 2026 at 5:22 AM Julian Hyde <[email protected]> wrote: > > > > > Changing my vote: > > > > > > +1 jhyde (PMC) > > > > > > The hash bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 > > > matches the .tar.gz and .sha256 files in subversion. > > > > > > I see now that Arrow has a practice of deleting RCs from subversion on > > > release, and releases from subversion on the next release. It’s possible > > > find historic artifacts but it requires use of the ’svn’ command-line. > > > > > > Please continue to include sha256 in the release email. Verifying releases > > > is very difficult without it. > > > > > > Julian > > > > > > > > > > On Feb 11, 2026, at 12:49 PM, Dewey Dunnington < > > > [email protected]> wrote: > > > > > > > > Given that no votes have yet been cast, perhaps we can just clarify now > > > > that the hash of the RC we're voting on is: > > > > > > > > bd09adb4feac11fe49d1604f296618866702be610c86e2d513b561d877de6b18 > > > > apache-arrow-23.0.1.tar.gz > > > > > > > > ...and include it in future vote threads. I believe previous updates to > > > the > > > > distribution directories are logged and checked out (e.g., svn log > > > > https://dist.apache.org/repos/dist/dev/arrow) should there be a > > > question on > > > > a past release). > > > > > > > > Cheers, > > > > > > > > -dewey > > > > > > > > On Wed, Feb 11, 2026 at 1:36 PM Julian Hyde <[email protected]> > > > wrote: > > > > > > > >> -1 jhyde PMC > > > >> > > > >> I have concerns about Arrow’s release provenance that I have raised in > > > >> a > > > >> recent thread [1] and have not been resolved. > > > >> > > > >> Specifically, there does not seem to be a permanent record of the SHA > > > >> of > > > >> the RC that people vote on. This creates an opportunity for someone to > > > >> substitute a bad .tar.gz for the good .tar.gz at some point after the > > > >> release vote has passed. My concerns were about apache-arrow-adbc-21 > > > >> but > > > >> this RC seems to have the same problems. > > > >> > > > >> In Calcite, we include the SHA in the vote thread [2] and it is also > > > >> available in the dist/dev tree [3]. That’s belt-and-suspenders; either > > > is > > > >> sufficient. > > > >> > > > >> Sorry to be a**hole. But this needs to be resolved. > > > >> > > > >> Julian > > > >> > > > >> [1] https://lists.apache.org/thread/fvfvv4hdkp5fqn2x7wn4wcwxt63yqnq3 > > > >> [2] https://lists.apache.org/thread/1zdx79dbplx7czbqbo5m8dff5tst5c8y > > > >> [3] > > > >> > > > https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-avatica-go-5.2.0-rc0/ > > > >> > > > >>> On Feb 11, 2026, at 5:30 AM, Raúl Cumplido <[email protected]> wrote: > > > >>> > > > >>> Hi, > > > >>> > > > >>> I would like to propose the following release candidate (RC0) of > > > >>> Apache > > > >>> Arrow version 23.0.1. This is a release consisting of 27 > > > >>> resolved GitHub issues[1]. > > > >>> > > > >>> This release candidate is based on commit: > > > >>> 82a374e5f3de5b744f26591e6cd96de6349c76d9 [2] > > > >>> > > > >>> The source release rc0 is hosted at [3]. > > > >>> The binary artifacts are hosted at [4][5][6][7][8][9]. > > > >>> The changelog is located at [10]. > > > >>> > > > >>> Please download, verify checksums and signatures, run the unit tests, > > > >>> and vote on the release. See [11] for how to validate a release > > > >> candidate. > > > >>> > > > >>> See also a verification result on GitHub pull request [12]. > > > >>> > > > >>> The vote will be open for at least 72 hours. > > > >>> > > > >>> [ ] +1 Release this as Apache Arrow 23.0.1 > > > >>> [ ] +0 > > > >>> [ ] -1 Do not release this as Apache Arrow 23.0.1 because... > > > >>> > > > >>> [1]: > > > >> > > > https://github.com/apache/arrow/issues?q=is%3Aissue+milestone%3A23.0.1+is%3Aclosed > > > >>> [2]: > > > >> > > > https://github.com/apache/arrow/tree/82a374e5f3de5b744f26591e6cd96de6349c76d9 > > > >>> [3]: > > > >> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-23.0.1-rc0 > > > >>> [4]: https://packages.apache.org/artifactory/arrow/almalinux-rc/ > > > >>> [5]: https://packages.apache.org/artifactory/arrow/amazon-linux-rc/ > > > >>> [6]: https://packages.apache.org/artifactory/arrow/centos-rc/ > > > >>> [7]: https://packages.apache.org/artifactory/arrow/debian-rc/ > > > >>> [8]: https://packages.apache.org/artifactory/arrow/ubuntu-rc/ > > > >>> [9]: > > > >> https://github.com/apache/arrow/releases/tag/apache-arrow-23.0.1-rc0 > > > >>> [10]: > > > >> > > > https://github.com/apache/arrow/blob/82a374e5f3de5b744f26591e6cd96de6349c76d9/CHANGELOG.md > > > >>> [11]: > > > https://arrow.apache.org/docs/developers/release_verification.html > > > >>> [12]: https://github.com/apache/arrow/pull/49212 > > > >> > > > >> > > > > > >
