Where is the definitive location for the ADBC 21 source tarball? It should be on ASF infrastructure, not GitHub.com <http://github.com/>.
We may have a couple of policy violations here. The release announcement for ADBC 21 [1] does not link to any permanent location for downloads. And the SHA512 for the tarball does not appear anywhere in the vote thread for the release [2]. We should not be trying to construct the provenance of a release using circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file was …" Julian [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> wrote: > > Hey Rusty, > > I think the URL you shared is the source archive for the git tag and > not the release artifact. If I remember correctly, GitHub has had > issues with checksum stability with those URLs in the past and, while > the situation has gotten better, we recommend only using the release > artifacts anyway [1]. If [1] isn't hash stable, let us know. > > [1] > https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > > On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> wrote: >> >> Hi Arrow Friends, >> >> Apologies in advance if this is the wrong mailing list or if I’m missing >> something obvious — but I’ve run into something odd with the >> `apache-arrow-adbc-21.tar.gz` release artifact. >> >> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` DuckDB >> extension, using the following source archive: >> >> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >> >> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file was: >> >> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >> ` >> I know this definitively because that hash is recorded in my vcpkg overlay >> file, and CI completed successfully at the time. >> >> Since then, however, the SHA512 checksum for the same URL now resolves to: >> >> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >> ` >> This is currently causing reproducible CI failures on the `v1.4` branch of >> my extension, which you can see starting here: >> >> https://github.com/Query-farm/adbc_scanner/actions?page=5 >> >> Did I miss an announcement, or was the release artifact rebuilt or replaced >> after the initial publication? >> >> Thanks in advance for any clarification, and sorry again if this is my fault. >> >> Best wishes, >> >> Rusty >> -- >> https://query.farm >>
