Make reproducible release tarballs

I check the SHA sum of the ISPConfig tarballs before I install them. The SHA 256 sum of the 3.2.5 release at https://www.ispconfig.org/downloads/ISPConfig-3.2.5.tar.gz changed from c071f975e0f570c58fd14f517b4e42e350a2123625650f6365796e416b8242d5 to b18e992f9ac81acb30e9536f6cff4e6deebf631fc3ec126b897314c4a03891b9.

That made me suspicious (could have easily been a hack that replaced the original release with a malicious one) – but the two tarballs extract to the very same directory tree (I had the earlier version laying around to check).
Looks like the tarball was re-created recently (maybe to test !1496 (merged)?). The tar and gzip file format include metadata (like the current PID or the current time) that make two tar+gzip archives of the same directory tree binary different even if they extract to the same directory tree.

Please consider to either

• never ever overwrite a published release (e.g. skip uploading if there is a file with the same name) or
• make the tarballs reproducible.

Also, "offical" SHA 256 sums in the release blog post would be wonderful 😄