build: Set TAR_OPTIONS to avoid leaking maintainer information on dist

The default tar invocation by automake leaks the user and group IDs and
names into the tarball. And while those are probably going to be easy to
infer, it is unnecessary to expose them. With the automake switch from
tar format v7 to ustar this is now worse as it used to only leak the
IDs, not the names.

We set and export TAR_OPTIONS with --owner=0 and --group=0 to neuter the
information leak. Although ideally automake would set those by default.

diff --git a/Makefile.am b/Makefile.am
index bdb83761539f3286b16910add62d7c5995fb5f47..9f321c492106642f75640b76d5b832b14e7be36a 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -14,6 +14,9 @@ EXTRA_DIST = \
        get-version \
        # EOL
 
+TAR_OPTIONS = --owner=0 --group=0
+export TAR_OPTIONS
+
 dist-hook:
        echo $(VERSION) >$(distdir)/.dist-version
        if [ -d .git ]; then \