ProdNG package generation: invariant builds → security

For both security and our build system, we've modified packages to make them invariant (2 builds of the same source should give the same package bit for bit).
This is a great way to verify quickly if your build servers are generating the same binaries than a cleanly installed workstation.
After package build, we have a special filter to prune things we want to remove from all packages (info pages, man pages in other languages, etc...).
We then compare the package's files against files from the previous version of the package, and revert mtime only changes.
We have special code that doesn't encode the gzip time in compressed archives (like man pages), and reverts the mtime of the source .py file encoded in .pyc files.
If after those cleanups the new package is identical to the old one, it's thrown out as identical.

For both security and our build system, we've modified packages to make them invariant (2 builds of the same source should give the same package bit for bit).