> None of these libraries are broken. They just include resources. Also, I 
> don't think it is realistic to tell library authors to please move certain 
> files out of the way because my build tool randomizes my classpath. That is 
> not going to happen. People will keep including things like 
> log4j.properties that are in potential conflict with a local file or files 
> in other JAR paths.

These packages should be cleaned up. They contain files they shouldn't 
contain. It mostly goes unnoticed and library authors often aren't even 
aware this is happening. I have reported this to a couple CLJS libraries 
over the years and all of them were fixed pretty much immediately, since it 
was always accidental. The burden is probably on the community to make 
people aware of this. Heck I'd even say all tools used for building library 
.jar files should even complain about certain files from the outset. While 
it is mostly harmless and usually goes unnoticed it is also a potential 
security risk. I don't know anyone that audits their dependencies properly 
and often people just serve "public" resources straight over HTTP. That 
means any dependency you don't audit may contain 
"public/some-exploit/foo.html" which then is often automatically available 
under "https://your-domain.com/some-exploit/foo.html";. Probably not 
something you want to have on your domain.

Regardless :paths should be first, just because of the options it enables I 
outlined earlier. IMHO dependencies otherwise can stay unordered since 
everything should be namespaced properly and unique anyways so order 
shouldn't matter.

You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
For more options, visit this group at
You received this message because you are subscribed to the Google Groups 
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to