Got a reply for my tar / mtime question.
Turns out exporting TZ to UTC may not be required, but also looks like very safe, sane to do and will also prevent some confusion, so probably good to keep.
I don't know. My approach is rather basic. I am following authoritative arguments here. Choose the Debian Reproducible Builds team as the experienced experts on the topic. Following their recommendations as long as seemingly sensible. This was introduced here:
Author: Patrick Schleizer <email@example.com>
Date: Thu Jan 19 09:40:35 2017 +0000
add --mode=go=rX,u+rw,a-s to tar to avoid non-determinism
as suggested by https://wiki.debian.org/ReproducibleBuilds/VaryingPermissionsInTarballs
Then the strategy is to keep testing it. Should issues arise (non-determinism reported), I'd investigate further. As for Whonix 14, Whonix deb reproducibility was only on a best effort basis. ( https://phabricator.whonix.org/T52 )
More progress is scheduled during development Whonix 15. ( https://phabricator.whonix.org/T615 )
(Or earlier if someone contributes.)
Having said that... You seem to be knowledgeable on the topic.
Please consider re-posting that question on the Debian reproducible builds mailing list.
( https://lists.alioth.debian.org/mailman/listinfo/reproducible-builds )
That would quite likely lead to a more educated answer to your question as well as this would be a great service to Whonix.
Your root vs 0 argument seems solid. Could you report it on the reproducible builds mailing list please?