I’ve added some comments to that issue, so let’s continue there. If other Arrow components are anything like ADBC, we (the Arrow PMC) have some release provenance issues to address. These include integrity of release votes, downloads pages providing links to historic releases and their hashes, and release announcements that include a permanent link to artifacts.
(If I am overreacting, I apologize. My investigations are hampered by the fact that https://archive.apache.org/dist/arrow/ is timing out currently.) > On Feb 9, 2026, at 12:01 PM, Bryce Mecum <[email protected]> wrote: > > https://arrow.apache.org/adbc/current/driver/installation.html which > can be traversed to from https://arrow.apache.org. I created [1] to > address the information gaps on that page. > > https://github.com/apache/arrow-adbc/issues/3946 > > On Mon, Feb 9, 2026 at 11:32 AM Julian Hyde <[email protected]> wrote: >> >> What is the downloads page for Arrow ADBC? The Arrow downloads page only >> includes Arrow releases, so it looks as if ADBC isn’t complying with the >> policy for downloads pages: >> https://infra.apache.org/release-download-pages.html#download-page >> >>> On Feb 9, 2026, at 11:25 AM, Julian Hyde <[email protected]> wrote: >>> >>> Re "checksums are linked in the vote thread”. Are any of those checksums >>> still available? The linked by the vote, >>> https://dist.apache.org/repos/dist/dev/arrow/apache-arrow-adbc-21-rc0 >>> appears to be broken. >>> >>> To put it another way. Can you prove that the artifact you voted on had >>> hash >>> 74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e. >>> If not, we have a provenance problem. >>> >>>> On Feb 9, 2026, at 11:02 AM, Bryce Mecum <[email protected]> wrote: >>>> >>>> Sorry for any confusion caused, Julian. I didn't mean to imply the >>>> GitHub URL was the definitive location for the asset and I only linked >>>> it because I know it's the same artifact as what's uploaded to ASF and >>>> it was near at hand. I otherwise would've linked to [1]. >>>> >>>> Re: the potential policy violations, I can put up a PR to add the >>>> latest closer.lua URL to [2] which may address your first point and, >>>> for the second point, the checksums are linked in the vote thread so >>>> everything looks fine there. >>>> >>>> [1] >>>> https://archive.apache.org/dist/arrow/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>> [2] https://arrow.apache.org/adbc/current/driver/installation.html >>>> >>>> On Mon, Feb 9, 2026 at 10:14 AM Julian Hyde <[email protected]> wrote: >>>>> >>>>> Where is the definitive location for the ADBC 21 source tarball? It >>>>> should be on ASF infrastructure, not GitHub.com <http://github.com/>. >>>>> >>>>> We may have a couple of policy violations here. The release announcement >>>>> for ADBC 21 [1] does not link to any permanent location for downloads. >>>>> And the SHA512 for the tarball does not appear anywhere in the vote >>>>> thread for the release [2]. >>>>> >>>>> We should not be trying to construct the provenance of a release using >>>>> circumstantial evidence such as "On *Dec 14, 2025 at 7:46 AM EST*, the >>>>> SHA512 checksum for that file was …" >>>>> >>>>> Julian >>>>> >>>>> [1] https://lists.apache.org/thread/dpxqpory5pmd119j85ks7cq9prword9p >>>>> [2] https://lists.apache.org/thread/mx2bwkbx51hy8robpnqksw93hrqzhtp9 >>>>> >>>>>> On Feb 9, 2026, at 9:17 AM, Bryce Mecum <[email protected]> wrote: >>>>>> >>>>>> Hey Rusty, >>>>>> >>>>>> I think the URL you shared is the source archive for the git tag and >>>>>> not the release artifact. If I remember correctly, GitHub has had >>>>>> issues with checksum stability with those URLs in the past and, while >>>>>> the situation has gotten better, we recommend only using the release >>>>>> artifacts anyway [1]. If [1] isn't hash stable, let us know. >>>>>> >>>>>> [1] >>>>>> https://github.com/apache/arrow-adbc/releases/download/apache-arrow-adbc-21/apache-arrow-adbc-21.tar.gz >>>>>> >>>>>> On Mon, Feb 9, 2026 at 7:30 AM Rusty Conover <[email protected]> wrote: >>>>>>> >>>>>>> Hi Arrow Friends, >>>>>>> >>>>>>> Apologies in advance if this is the wrong mailing list or if I’m >>>>>>> missing something obvious — but I’ve run into something odd with the >>>>>>> `apache-arrow-adbc-21.tar.gz` release artifact. >>>>>>> >>>>>>> I’ve been building ADBC via vcpkg as part of my `adbc_scanner` DuckDB >>>>>>> extension, using the following source archive: >>>>>>> >>>>>>> https://github.com/apache/arrow-adbc/archive/apache-arrow-adbc-21.tar.gz >>>>>>> >>>>>>> On *Dec 14, 2025 at 7:46 AM EST*, the SHA512 checksum for that file was: >>>>>>> >>>>>>> `74d9dedd15bce71bfbc5bce00ad1aa91be84623010e2a01e6846343a7acc93e36fb263a08cc8437a9467bf63a2c7aca4b14d413325d5afb96b590408d918b27e >>>>>>> ` >>>>>>> I know this definitively because that hash is recorded in my vcpkg >>>>>>> overlay file, and CI completed successfully at the time. >>>>>>> >>>>>>> Since then, however, the SHA512 checksum for the same URL now resolves >>>>>>> to: >>>>>>> >>>>>>> `2c15c67d12b6b5ceafdd284038bff71136bac24b9aff1791ed0657e0f0a56ca713e641f9d1032918179af6c387762491c022f43d32995f94a749a60c7b91f20b >>>>>>> ` >>>>>>> This is currently causing reproducible CI failures on the `v1.4` branch >>>>>>> of my extension, which you can see starting here: >>>>>>> >>>>>>> https://github.com/Query-farm/adbc_scanner/actions?page=5 >>>>>>> >>>>>>> Did I miss an announcement, or was the release artifact rebuilt or >>>>>>> replaced after the initial publication? >>>>>>> >>>>>>> Thanks in advance for any clarification, and sorry again if this is my >>>>>>> fault. >>>>>>> >>>>>>> Best wishes, >>>>>>> >>>>>>> Rusty >>>>>>> -- >>>>>>> https://query.farm >>>>>>> >>>>> >>> >>
