To give visibility to anyone looking at the thread and to not convey a biased message. Is not that Arrow is doing something extremely different than what other Apache projects are doing, to list a few that also have non empty releases: https://github.com/apache/airflow/releases https://github.com/apache/iceberg/releases https://github.com/apache/beam/releases https://github.com/apache/druid/releases https://github.com/apache/hamilton/releases https://github.com/apache/hbase/releases https://github.com/apache/doris/releases https://github.com/apache/sedona/releases
Calcite might have an empty releases page but lots of other Apache projects have a populated releases page. El jue, 12 feb 2026 a las 23:53, Julian Hyde (<[email protected]>) escribió: > > OK, you got me. I presume that GitHub creates this file automatically because > there is a tag 'calcite-1.41.0’. In Calcite we have endeavored to counter the > perception that there are releases on GitHub. Because, for the ASF, a release > is a legal act, not merely the result of someone typing ‘git tag’ and then > ‘git push’. I agree with you that it is hard to stay GitHub’s hand. > > > On Feb 12, 2026, at 12:38 PM, Bryce Mecum <[email protected]> wrote: > > > > https://github.com/apache/calcite/archive/calcite-1.41.0.tar.gz > > > > On Thu, Feb 12, 2026 at 12:33 PM Julian Hyde <[email protected]> wrote: > >> > >> Really? Compare: > >> > >> https://github.com/apache/calcite/releases (empty) > >> https://github.com/apache/arrow/releases (not empty) > >> > >> > >>> On Feb 12, 2026, at 12:25 PM, Bryce Mecum <[email protected]> wrote: > >>> > >>>> If .tar.gz files under github.com/apache/arrow is causing confusion, > >>>> let’s remove them. > >>> > >>> The original confusion was caused by GitHub's user interface and API, > >>> neither of which we can change or opt out of. Since the confusion was > >>> quickly remedied in this thread, I don't think any further changes are > >>> needed. > >>> > >>> On Thu, Feb 12, 2026 at 11:58 AM Julian Hyde <[email protected]> > >>> wrote: > >>>> > >>>> Source distributions (and more importantly, their .asc and .sha files) > >>>> must be on ASF hardware. If .tar.gz files under github.com/apache/arrow > >>>> is causing confusion, let’s remove them. > >>>> > >>>>> On Feb 11, 2026, at 5:08 PM, David Li <[email protected]> wrote: > >>>>> > >>>>> The GitHub-generated source tarball is not canonical and there is no > >>>>> guarantee of its stability from GitHub, as Bryce has pointed out. > >>>>> Unfortunately, GitHub does not provide a way to disable this to avoid > >>>>> confusion. We upload our own source tarball (as an artifact, so it > >>>>> remains stable) along with the GPG signature and SHA512 hash to the > >>>>> release. And I will embed the hash into the email as well. > >>>>> > >>>>> To wit: > >>>>> > >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.asc > >>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>>> > >>>>> lidavidm@Canon ~/Downloads> sha512sum apache-arrow-adbc-21.tar.gz > >>>>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>>>> apache-arrow-adbc-21.tar.gz > >>>>> lidavidm@Canon ~/Downloads> cat apache-arrow-adbc-21.tar.gz.sha512 > >>>>> ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>>>> apache-arrow-adbc-21.tar.gz > >>>>> lidavidm@Canon ~/Downloads> gpg --verify apache-arrow-adbc-21.tar.gz.asc > >>>>> gpg: assuming signed data in 'apache-arrow-adbc-21.tar.gz' > >>>>> gpg: Signature made Mon Nov 3 16:09:42 2025 JST > >>>>> gpg: using RSA key > >>>>> BE7EF45DBAD38E4EECED390E9CBA4EF977CA20B8 > >>>>> gpg: Good signature from "David Li (CODE SIGNING KEY) > >>>>> <[email protected]>" [ultimate] > >>>>> > >>>>> On Thu, Feb 12, 2026, at 06:27, Julian Hyde wrote: > >>>>>> For what it's worth, the sha512 (retrieved from the svn log of > >>>>>> https://dist.apache.org/repos/dist/release/arrow/) is as follows. > >>>>>> > >>>>>> Index: apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>>>> =================================================================== > >>>>>> --- apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>>>> (nonexistent) > >>>>>> +++ apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz.sha512 > >>>>>> (revision 80550) > >>>>>> @@ -0,0 +1 @@ > >>>>>> +ea2a7e066886054f541daaf3294d0fd63372ef1e4a077cf84483dffbed183cc97363665a2ef7bd3ede8378be63d102d2770ca26fca16e9a04adb53eb524012a8 > >>>>>> apache-arrow-adbc-21.tar.gz > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Feb 11, 2026, at 11:36 AM, Bryce Mecum <[email protected]> > >>>>>>> wrote: > >>>>>>> > >>>>>>> New thread: > >>>>>>> https://lists.apache.org/thread/o2mpsf5okhzfz2k4mbg5d4s9ror69587 > >>>>>>> > >>>>>>> On Wed, Feb 11, 2026 at 11:26 AM Bryce Mecum <[email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> Hi Julian, I'm going to start a new thread to discuss the RC > >>>>>>>> provenance question. > >>>>>>>> > >>>>>>>> On Wed, Feb 11, 2026 at 11:22 AM Julian Hyde > >>>>>>>> <[email protected]> wrote: > >>>>>>>>> > >>>>>>>>> Sorry to persist. But I still don’t have a satisfactory answer to > >>>>>>>>> this one: > >>>>>>>>> > >>>>>>>>> How can you be sure that the SHA of the RC that four people voted > >>>>>>>>> on? > >>>>>>>>> > >>>>>>>>> (In Calcite, every RC is still in the dist/dev tree. E.g. > >>>>>>>>> https://dist.apache.org/repos/dist/dev/calcite/apache-calcite-1.21.0-rc0/. > >>>>>>>>> But I can’t find a similar archive for Arrow.) > >>>>>>>>> > >>>>>>>>> Julian > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> On Feb 9, 2026, at 1:43 PM, Julian Hyde <[email protected]> > >>>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> I’ve added some comments to that issue, so let’s continue there. > >>>>>>>>>> > >>>>>>>>>> If other Arrow components are anything like ADBC, we (the Arrow > >>>>>>>>>> PMC) have some release provenance issues to address. These include > >>>>>>>>>> integrity of release votes, downloads pages providing links to > >>>>>>>>>> historic releases and their hashes, and release announcements that > >>>>>>>>>> include a permanent link to artifacts. > >>>>>>>>>> > >>>>>>>>>> (If I am overreacting, I apologize. My investigations are hampered > >>>>>>>>>> by the fact that https://archive.apache.org/dist/arrow/ is timing > >>>>>>>>>> out currently.) > >>>>>>>>>> > >>>>>>>>>>> On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> > >>>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html > >>>>>>>>>>> which > >>>>>>>>>>> can be traversed to from https://arrow.apache.org. I created [1] > >>>>>>>>>>> to > >>>>>>>>>>> address the information gaps on that page. > >>>>>>>>>>> > >>>>>>>>>>> https://github.com/apache/arrow-adbc/issues/3946 > >>>>>>>>>>> > >>>>>>>>>>> On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde > >>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> What is the downloads page for Arrow ADBC? The Arrow downloads > >>>>>>>>>>>> page only includes Arrow releases, so it looks as if ADBC isn’t > >>>>>>>>>>>> complying with the policy for downloads pages: > >>>>>>>>>>>> https://infra.apache.org/release-download-pages.html#download-page > >>>>>>>>>>>> > >>>>>>>>>>>>> On Feb 9, 2026, at 11:25 AM, Julian Hyde > >>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> Re "checksums are linked in the vote thread”. Are any of those > >>>>>>>>>>>>> checksums still available? The linked by the vote, > >>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 > >>>>>>>>>>>>> appears to be broken. > >>>>>>>>>>>>> > >>>>>>>>>>>>> To put it another way. Can you prove that the artifact you > >>>>>>>>>>>>> voted on had hash > >>>>>>>>>>>>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > >>>>>>>>>>>>> If not, we have a provenance problem. > >>>>>>>>>>>>> > >>>>>>>>>>>>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum > >>>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Sorry for any confusion caused, Julian. I didn't mean to imply > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>> GitHub URL was the definitive location for the asset and I > >>>>>>>>>>>>>> only linked > >>>>>>>>>>>>>> it because I know it's the same artifact as what's uploaded to > >>>>>>>>>>>>>> ASF and > >>>>>>>>>>>>>> it was near at hand. I otherwise would've linked to [1]. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Re: the potential policy violations, I can put up a PR to add > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>> latest closer.lua URL to [2] which may address your first > >>>>>>>>>>>>>> point and, > >>>>>>>>>>>>>> for the second point, the checksums are linked in the vote > >>>>>>>>>>>>>> thread so > >>>>>>>>>>>>>> everything looks fine there. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> [1] > >>>>>>>>>>>>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>>> [2] > >>>>>>>>>>>>>> https://arrow.apache.org/adbc/current/driver/installation.html > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde > >>>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Where is the definitive location for the ADBC 21 source > >>>>>>>>>>>>>>> tarball? It should be on ASF infrastructure, not GitHub.com > >>>>>>>>>>>>>>> <http://github.com/>. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We may have a couple of policy violations here. The release > >>>>>>>>>>>>>>> announcement for ADBC 21 [1] does not link to any permanent > >>>>>>>>>>>>>>> location for downloads. And the SHA512 for the tarball does > >>>>>>>>>>>>>>> not appear anywhere in the vote thread for the release [2]. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We should not be trying to construct the provenance of a > >>>>>>>>>>>>>>> release using circumstantial evidence such as "On *Dec 14, > >>>>>>>>>>>>>>> 2025 at 7:46 AM EST*, the SHA512 checksum for that file was …" > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Julian > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> [1] > >>>>>>>>>>>>>>> https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p > >>>>>>>>>>>>>>> [2] > >>>>>>>>>>>>>>> https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum > >>>>>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Hey Rusty, > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> I think the URL you shared is the source archive for the git > >>>>>>>>>>>>>>>> tag and > >>>>>>>>>>>>>>>> not the release artifact. If I remember correctly, GitHub > >>>>>>>>>>>>>>>> has had > >>>>>>>>>>>>>>>> issues with checksum stability with those URLs in the past > >>>>>>>>>>>>>>>> and, while > >>>>>>>>>>>>>>>> the situation has gotten better, we recommend only using the > >>>>>>>>>>>>>>>> release > >>>>>>>>>>>>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> [1] > >>>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover > >>>>>>>>>>>>>>>> <[email protected]> wrote: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Hi Arrow Friends, > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Apologies in advance if this is the wrong mailing list or > >>>>>>>>>>>>>>>>> if I’m missing something obvious — but I’ve run into > >>>>>>>>>>>>>>>>> something odd with the `apache-arrow-adbc-21.tar.gz` > >>>>>>>>>>>>>>>>> release artifact. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> I’ve been building ADBC via vcpkg as part of my > >>>>>>>>>>>>>>>>> `adbc_scanner` DuckDB extension, using the following source > >>>>>>>>>>>>>>>>> archive: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for > >>>>>>>>>>>>>>>>> that file was: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e > >>>>>>>>>>>>>>>>> ` > >>>>>>>>>>>>>>>>> I know this definitively because that hash is recorded in > >>>>>>>>>>>>>>>>> my vcpkg overlay file, and CI completed successfully at the > >>>>>>>>>>>>>>>>> time. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Since then, however, the SHA512 checksum for the same URL > >>>>>>>>>>>>>>>>> now resolves to: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b > >>>>>>>>>>>>>>>>> ` > >>>>>>>>>>>>>>>>> This is currently causing reproducible CI failures on the > >>>>>>>>>>>>>>>>> `v1.4` branch of my extension, which you can see starting > >>>>>>>>>>>>>>>>> here: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Did I miss an announcement, or was the release artifact > >>>>>>>>>>>>>>>>> rebuilt or replaced after the initial publication? > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Thanks in advance for any clarification, and sorry again if > >>>>>>>>>>>>>>>>> this is my fault. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Best wishes, > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Rusty > >>>>>>>>>>>>>>>>> -- > >>>>>>>>>>>>>>>>> https://query.farm > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>> > >> >
