Bug#1135269: ruby-timers: please make the build reproducible

Chris Lamb lamby at debian.org
Thu Apr 30 12:40:30 BST 2026 

Source: ruby-timers
Version: 4.4.0-2
Severity: wishlist
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: environment
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0], we noticed that
ruby-timers could not be built reproducibly.

This is because the .gemspec file gets evaluated, causing this line:

  File.expand_path("~/.gem/release.pem")

... to be rendered in the binary package, leading to the package
embedding the build user's home directory.

Patch attached.

 [0] https://reproducible-builds.org/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-
-------------- next part --------------
--- a/debian/patches/reproducible-build.patch	1969-12-31 16:00:00.000000000 -0800
--- b/debian/patches/reproducible-build.patch	2026-04-30 04:37:52.593631918 -0700
@@ -0,0 +1,16 @@
+Description: Make the build reproducible
+Author: Chris Lamb <lamby at debian.org>
+Last-Update: 2026-04-30
+
+--- ruby-timers-4.4.0.orig/timers.gemspec
++++ ruby-timers-4.4.0/timers.gemspec
+@@ -10,9 +10,6 @@ Gem::Specification.new do |spec|
+ 	spec.authors = ["Tony Arcieri", "Samuel Williams", "Donovan Keme", "Wander Hillen", "Utenmiki", "Jeremy Hinegardner", "Sean Gregory", "Chuck Remes", "Olle Jonsson", "Ron Evans", "Tommy Ong Gia Phu", "Larry Lv", "Lin Jen-Shin", "Ryunosuke Sato", "Atul Bhosale", "Bruno Enten", "Dimitrij Denissenko", "Jesse Cooke", "Klaus Trainer", "Lavir the Whiolet", "Mike Bourgeous", "Nicholas Evans", "Patrik Wenger", "Peter Goldstein", "Ryan LeCompte", "Tim Smith", "Vít Ondruch", "Will Jessop", "Yoshiki Takagi"]
+ 	spec.license = "MIT"
+ 	
+-	spec.cert_chain  = ["release.cert"]
+-	spec.signing_key = File.expand_path("~/.gem/release.pem")
+-	
+ 	spec.homepage = "https://github.com/socketry/timers"
+ 	
+ 	spec.metadata = {
--- a/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
--- b/debian/patches/series	2026-04-30 04:37:51.255121707 -0700
@@ -0,0 +1 @@
+reproducible-build.patch

More information about the Reproducible-bugs mailing list