If no PKG_VERSION is set, then assume we're trying to build from the
very latest.

If no PKG_PATH is set, then let's build it from source, using the
upsream package repository. For Python projects, this amounts to:

  1. Cloning the repo
  2. Verifying the tag for a specific version
  3. Checking out that tag
  4. Running 'python setup.py sdist' to build tarball

Once that's done, we can pass that tarball to the Debian package build
logic. The tarball is not byte-for-byte identical after multiple builds,
due to metadata discrepancies such as timestamps, but Debian package
build logic *is* reproducible, given support of the SOURCE_DATE_EPOCH.
So, even when using a newly built tarball with slightly different
timestamps, rebuilding the same package will yield an identical
checksum.

When building tarballs dynamically, let's take the time to ensure that
they're fully reproducible. We still run 'python setup.py sdist', but
since that tool doesn't (yet) support SOURCE_DATE_EPOCH, we'll manually
repack the archive with native tar & gzip, forcing predictable
timestamps from the git info, resulting in a deterministic build.

Requested by @kushaldas during review. We can't easily pass through the stderr
from the git verify process, since we redirect that stderr to stdout so
that grep can inspect it. So let's just detect the failure and report
that the tag failed to verify, which is accurate, albeit neither
explicit nor verbose.