Hi! The generated dist tarballs have always leaked maintainer information like their UID and GID for v7 tar, with ustar or pax tarballs in addition also leaking the user name and group. With the default for the tar format having been switched in automake 1.18, this is now a bit worse.
I've switched projects I maintain to use the documented workaround of setting and exporting TAR_OPTIONS. Although I think it would be better for automake to set --owner=0 and --group=0 by default when possible. I've read https://debbugs.gnu.org/79170, https://debbugs.gnu.org/13324 and https://debbugs.gnu.org/19614, where there were concerns about compatibility and on not wanting to require GNU tar. But given that currently the default is ustar, and when using GNU tar, --format is being used, I think it would make sense in that case to also pass --owner=0 and --group=0, I guess in the gnutar case in m4/tar.m4. Thanks, Guillem
