Starting with #226, the SBOM no longer includes a timestamp.
The outputTimestamp parameter is always set, which enables reproducible builds mode. This mode currently causes the SBOM timestamp to be omitted.
However, reproducible builds do not require removing the timestamp entirely. Instead, they require using a consistent timestamp across builds. In Maven, this is typically achieved by setting project.build.outputTimestamp during the build process.
For this reason, I propose that the SBOM timestamp should be set to the value provided by the outputTimestamp parameter rather than leaving it unset. This approach would maintain reproducibility while preserving useful metadata.
Starting with #226, the SBOM no longer includes a timestamp.
The
outputTimestampparameter is always set, which enables reproducible builds mode. This mode currently causes the SBOM timestamp to be omitted.However, reproducible builds do not require removing the timestamp entirely. Instead, they require using a consistent timestamp across builds. In Maven, this is typically achieved by setting
project.build.outputTimestampduring the build process.For this reason, I propose that the SBOM timestamp should be set to the value provided by the
outputTimestampparameter rather than leaving it unset. This approach would maintain reproducibility while preserving useful metadata.