> > None of these libraries are broken. They just include resources. Also, I > don't think it is realistic to tell library authors to please move certain > files out of the way because my build tool randomizes my classpath. That is > not going to happen. People will keep including things like > log4j.properties that are in potential conflict with a local file or files > in other JAR paths. >
These packages should be cleaned up. They contain files they shouldn't contain. It mostly goes unnoticed and library authors often aren't even aware this is happening. I have reported this to a couple CLJS libraries over the years and all of them were fixed pretty much immediately, since it was always accidental. The burden is probably on the community to make people aware of this. Heck I'd even say all tools used for building library .jar files should even complain about certain files from the outset. While it is mostly harmless and usually goes unnoticed it is also a potential security risk. I don't know anyone that audits their dependencies properly and often people just serve "public" resources straight over HTTP. That means any dependency you don't audit may contain "public/some-exploit/foo.html" which then is often automatically available under "https://your-domain.com/some-exploit/foo.html". Probably not something you want to have on your domain. Regardless :paths should be first, just because of the options it enables I outlined earlier. IMHO dependencies otherwise can stay unordered since everything should be namespaced properly and unique anyways so order shouldn't matter. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to email@example.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/16ea6172-1d5c-4ac5-976c-3e5223aeee66o%40googlegroups.com.