https://github.com/apache/calcite/archive/calcite-1.41.0.tar.gz
On Thu, Feb 12, 2026 at 12:33 PM Julian Hyde <[email protected]> wrote: > > Really? Compare: > > https://github.com/apache/calcite/releases (empty) > https://github.com/apache/arrow/releases (not empty) > > > > On Feb 12, 2026, at 12:25 PM, Bryce Mecum <[email protected]> wrote: > > > >> If .tar.gz files under github.com/apache/arrow is causing confusion, let’s > >> remove them. > > > > The original confusion was caused by GitHub's user interface and API, > > neither of which we can change or opt out of. Since the confusion was > > quickly remedied in this thread, I don't think any further changes are > > needed. > > > > On Thu, Feb 12, 2026 at 11:58 AM Julian Hyde <[email protected]> wrote: > >> > >> Source distributions (and more importantly, their .asc and .sha files) > >> must be on ASF hardware. If .tar.gz files under github.com/apache/arrow is > >> causing confusion, let’s remove them. > >> > >>> On Feb 11, 2026, at 5:08 PM, David Li <[email protected]> wrote: > >>> > >>> The GitHub-generated source tarball is not canonical and there is no > >>> guarantee of its stability from GitHub, as Bryce has pointed out. > >>> Unfortunately, GitHub does not provide a way to disable this to avoid > >>> confusion. We upload our own source tarball (as an artifact, so it > >>> remains stable) along with the GPG signature and SHA512 hash to the > >>> release. And I will embed the hash into the email as well. > >>> > >>> To wit: > >>> > >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc > >>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>> > >>> lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz > >>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>> apache-arrow-adbc-21.tar.gz > >>> lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 > >>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>> apache-arrow-adbc-21.tar.gz > >>> lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc > >>> gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' > >>> gpg: Signature made Mon Nov 3 16:09:42 2025 JST > >>> gpg: using RSA key BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 > >>> gpg: Good signature from "David Li (CODE SIGNING KEY) > >>> <[email protected]>" [ultimate] > >>> > >>> On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: > >>>> For what it's worth, the sha512 (retrieved from the svn log of > >>>> https://dist.apache.org/repos/dist/release/arrow/) is as follows. > >>>> > >>>> Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>> =================================================================== > >>>> --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>> (nonexistent) > >>>> +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>> (revision 80550) > >>>> @@ -0,0 +1 @@ > >>>> +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>>> apache-arrow-adbc-21.tar.gz > >>>> > >>>> > >>>> > >>>>> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> wrote: > >>>>> > >>>>> New thread: > >>>>> https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 > >>>>> > >>>>> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>> Hi Julian, I'm going to start a new thread to discuss the RC > >>>>>> provenance question. > >>>>>> > >>>>>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde <[email protected]> > >>>>>> wrote: > >>>>>>> > >>>>>>> Sorry to persist. But I still don’t have a satisfactory answer to > >>>>>>> this one: > >>>>>>> > >>>>>>> How can you be sure that the SHA of the RC that four people voted on? > >>>>>>> > >>>>>>> (In Calcite, every RC is still in the dist/dev tree. E.g. > >>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. > >>>>>>> But I can’t find a similar archive for Arrow.) > >>>>>>> > >>>>>>> Julian > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> > >>>>>>>> wrote: > >>>>>>>> > >>>>>>>> I’ve added some comments to that issue, so let’s continue there. > >>>>>>>> > >>>>>>>> If other Arrow components are anything like ADBC, we (the Arrow PMC) > >>>>>>>> have some release provenance issues to address. These include > >>>>>>>> integrity of release votes, downloads pages providing links to > >>>>>>>> historic releases and their hashes, and release announcements that > >>>>>>>> include a permanent link to artifacts. > >>>>>>>> > >>>>>>>> (If I am overreacting, I apologize. My investigations are hampered > >>>>>>>> by the fact that https://archive.apache.org/dist/arrow/ is timing > >>>>>>>> out currently.) > >>>>>>>> > >>>>>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html which > >>>>>>>>> can be traversed to from https://arrow.apache.org. I created [1] to > >>>>>>>>> address the information gaps on that page. > >>>>>>>>> > >>>>>>>>> https://github.com/apache/arrow-adbc/issues/3946 > >>>>>>>>> > >>>>>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde > >>>>>>>>> <[email protected]> wrote: > >>>>>>>>>> > >>>>>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads > >>>>>>>>>> page only includes Arrow releases, so it looks as if ADBC isn’t > >>>>>>>>>> complying with the policy for downloads pages: > >>>>>>>>>> https://infra.apache.org/release-download-pages.html#download-page > >>>>>>>>>> > >>>>>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> > >>>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Re "checksums are linked in the vote thread”. Are any of those > >>>>>>>>>>> checksums still available? The linked by the vote, > >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 > >>>>>>>>>>> appears to be broken. > >>>>>>>>>>> > >>>>>>>>>>> To put it another way. Can you prove that the artifact you voted > >>>>>>>>>>> on had hash > >>>>>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > >>>>>>>>>>> If not, we have a provenance problem. > >>>>>>>>>>> > >>>>>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply > >>>>>>>>>>>> the > >>>>>>>>>>>> GitHub URL was the definitive location for the asset and I only > >>>>>>>>>>>> linked > >>>>>>>>>>>> it because I know it's the same artifact as what's uploaded to > >>>>>>>>>>>> ASF and > >>>>>>>>>>>> it was near at hand. I otherwise would've linked to [1]. > >>>>>>>>>>>> > >>>>>>>>>>>> Re: the potential policy violations, I can put up a PR to add the > >>>>>>>>>>>> latest closer.lua URL to [2] which may address your first point > >>>>>>>>>>>> and, > >>>>>>>>>>>> for the second point, the checksums are linked in the vote > >>>>>>>>>>>> thread so > >>>>>>>>>>>> everything looks fine there. > >>>>>>>>>>>> > >>>>>>>>>>>> [1] > >>>>>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>> [2] > >>>>>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html > >>>>>>>>>>>> > >>>>>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde > >>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> Where is the definitive location for the ADBC 21 source > >>>>>>>>>>>>> tarball? It should be on ASF infrastructure, not GitHub.com > >>>>>>>>>>>>> <http://github.com/>. > >>>>>>>>>>>>> > >>>>>>>>>>>>> We may have a couple of policy violations here. The release > >>>>>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent > >>>>>>>>>>>>> location for downloads. And the SHA512 for the tarball does not > >>>>>>>>>>>>> appear anywhere in the vote thread for the release [2]. > >>>>>>>>>>>>> > >>>>>>>>>>>>> We should not be trying to construct the provenance of a > >>>>>>>>>>>>> release using circumstantial evidence such as "On *Dec 14, 2025 > >>>>>>>>>>>>> at 7:46 AM EST*, the SHA512 checksum for that file was …" > >>>>>>>>>>>>> > >>>>>>>>>>>>> Julian > >>>>>>>>>>>>> > >>>>>>>>>>>>> [1] > >>>>>>>>>>>>> https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p > >>>>>>>>>>>>> [2] > >>>>>>>>>>>>> https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > >>>>>>>>>>>>> > >>>>>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> > >>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Hey Rusty, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> I think the URL you shared is the source archive for the git > >>>>>>>>>>>>>> tag and > >>>>>>>>>>>>>> not the release artifact. If I remember correctly, GitHub has > >>>>>>>>>>>>>> had > >>>>>>>>>>>>>> issues with checksum stability with those URLs in the past > >>>>>>>>>>>>>> and, while > >>>>>>>>>>>>>> the situation has gotten better, we recommend only using the > >>>>>>>>>>>>>> release > >>>>>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> [1] > >>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover > >>>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hi Arrow Friends, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or if > >>>>>>>>>>>>>>> I’m missing something obvious — but I’ve run into something > >>>>>>>>>>>>>>> odd with the `apache-arrow-adbc-21.tar.gz` release artifact. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my > >>>>>>>>>>>>>>> `adbc_scanner` DuckDB extension, using the following source > >>>>>>>>>>>>>>> archive: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for > >>>>>>>>>>>>>>> that file was: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e > >>>>>>>>>>>>>>> ` > >>>>>>>>>>>>>>> I know this definitively because that hash is recorded in my > >>>>>>>>>>>>>>> vcpkg overlay file, and CI completed successfully at the time. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL now > >>>>>>>>>>>>>>> resolves to: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b > >>>>>>>>>>>>>>> ` > >>>>>>>>>>>>>>> This is currently causing reproducible CI failures on the > >>>>>>>>>>>>>>> `v1.4` branch of my extension, which you can see starting > >>>>>>>>>>>>>>> here: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Did I miss an announcement, or was the release artifact > >>>>>>>>>>>>>>> rebuilt or replaced after the initial publication? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if > >>>>>>>>>>>>>>> this is my fault. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Best wishes, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Rusty > >>>>>>>>>>>>>>> -- > >>>>>>>>>>>>>>> https://query.farm > >>>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>> > >>>>>>> > >> >
