https://arrow.apache.org/adbc/current/driver/installation.html which can be traversed to from https://arrow.apache.org. I created [1] to address the information gaps on that page.
https://github.com/apache/arrow-adbc/issues/3946 On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> wrote: > > What is the downloads page for Arrow ADBC? The Arrow downloads page only > includes Arrow releases, so it looks as if ADBC isn’t complying with the > policy for downloads pages: > https://infra.apache.org/release-download-pages.html#download-page > > > On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> wrote: > > > > Re "checksums are linked in the vote thread”. Are any of those checksums > > still available? The linked by the vote, > > https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 > > appears to be broken. > > > > To put it another way. Can you prove that the artifact you voted on had > > hash > > 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. > > If not, we have a provenance problem. > > > >> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: > >> > >> Sorry for any confusion caused, Julian. I didn't mean to imply the > >> GitHub URL was the definitive location for the asset and I only linked > >> it because I know it's the same artifact as what's uploaded to ASF and > >> it was near at hand. I otherwise would've linked to [1]. > >> > >> Re: the potential policy violations, I can put up a PR to add the > >> latest closer.lua URL to [2] which may address your first point and, > >> for the second point, the checksums are linked in the vote thread so > >> everything looks fine there. > >> > >> [1] > >> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >> [2] https://arrow.apache.org/adbc/current/driver/installation.html > >> > >> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> wrote: > >>> > >>> Where is the definitive location for the ADBC 21 source tarball? It > >>> should be on ASF infrastructure, not GitHub.com <http://github.com/>. > >>> > >>> We may have a couple of policy violations here. The release announcement > >>> for ADBC 21 [1] does not link to any permanent location for downloads. > >>> And the SHA512 for the tarball does not appear anywhere in the vote > >>> thread for the release [2]. > >>> > >>> We should not be trying to construct the provenance of a release using > >>> circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM EST*, the > >>> SHA512 checksum for that file was …" > >>> > >>> Julian > >>> > >>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p > >>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 > >>> > >>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> wrote: > >>>> > >>>> Hey Rusty, > >>>> > >>>> I think the URL you shared is the source archive for the git tag and > >>>> not the release artifact. If I remember correctly, GitHub has had > >>>> issues with checksum stability with those URLs in the past and, while > >>>> the situation has gotten better, we recommend only using the release > >>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. > >>>> > >>>> [1] > >>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz > >>>> > >>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> wrote: > >>>>> > >>>>> Hi Arrow Friends, > >>>>> > >>>>> Apologies in advance if this is the wrong mailing list or if I’m > >>>>> missing something obvious — but I’ve run into something odd with the > >>>>> `apache-arrow-adbc-21.tar.gz` release artifact. > >>>>> > >>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` DuckDB > >>>>> extension, using the following source archive: > >>>>> > >>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz > >>>>> > >>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file was: > >>>>> > >>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e > >>>>> ` > >>>>> I know this definitively because that hash is recorded in my vcpkg > >>>>> overlay file, and CI completed successfully at the time. > >>>>> > >>>>> Since then, however, the SHA512 checksum for the same URL now resolves > >>>>> to: > >>>>> > >>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b > >>>>> ` > >>>>> This is currently causing reproducible CI failures on the `v1.4` branch > >>>>> of my extension, which you can see starting here: > >>>>> > >>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 > >>>>> > >>>>> Did I miss an announcement, or was the release artifact rebuilt or > >>>>> replaced after the initial publication? > >>>>> > >>>>> Thanks in advance for any clarification, and sorry again if this is my > >>>>> fault. > >>>>> > >>>>> Best wishes, > >>>>> > >>>>> Rusty > >>>>> -- > >>>>> https://query.farm > >>>>> > >>> > > >
