Severity: wishlist

I propose that we ensure reproducibility in our release tarballs by
applying the recommended GNU Tar options.  Please see the attached
patch.

The main value of reproducible tarballs is that they allow anyone --
whether downstream packagers, security auditors, or independent
developers -- to verify that the official release tarball matches the
corresponding source repository exactly.

This is particularly useful for:

1. Supply chain security.  Ensuring that the tarball is built from the
   expected source, with no accidental or malicious modifications.

2. Downstream distributions.  Some distributions, like Debian and Guix,
   strongly prefer reproducible builds to improve verifyability and
   package integrity.

3. Debugging and consistency.  Developers can regenerate the exact same
   tarball locally, making it easier to debug, compare versions, or
   audit historical releases.

Even if we're the only ones who generate official tarballs, making them
reproducible improves transparency and verifiability, which are
worthwhile goals on their own.

This approach follows the official GNU Tar manual guidelines:
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html