This was recognized as a bug as far back as 2007
(https://lists.gnu.org/archive/html/bug-tar/2007-08/msg00013.html), but
apparently no fix was ever applied.
That post identifies the annoyance and proposes 2 possible fixes:
1: check for mtime only.
2: compare all the elements of struct stat that are relevant to tar:
user, group, access mode and so on, but not ctime, number of blocks,
hard link count.
(I don't think it's a DoS problem as that post proposes, because at
least on a recent Linux, hard-linking another user's file results in
"Operation not permitted".)
Which one of those 2 is the correct fix? Or, is there some other better
fix?
