Document reproducibility of resulting archives

[Silvanoc]

It would be helpful to have some information documented about the reproducibility of the resulting archives. What I mean is answering this question:

Can I be sure that I am getting exactly the same TAR archive whenever I use this package? No matter:

• When I run it.
• Which node-tar version I use.
• Which OS I use.

Of course, in order to ensure it, some testing would be needed. Therefore starting with something like following might suffice (in case it applies):

The archives being generated using this package are expected to be reproducible (no matter when or in which OS you run it). Nevertheless, as of now no format tests are ensuring it.

[isaacs]

Sure, it definitely is possible, npm relies on this.

There's a portable option which prevents any os-specific flags from being added (this is also needed to prevent the gzip os header). If you want it to be strictly content dependent (ie, consistent regardless of file mtime values), then some additional work is required. The pacote package (npm's package archive handler) does this for example, stripping all time flags from entries as they are being created. (Actually, it sets them to an arbitrary date in 1985, because Docker gets upset at dates before 1980.)

Can certainly document. Might even be a good idea to make a new high level flag to just do that time stripping.