CI system maintainability

Boudhayan Gupta me at baloneygeek.com
Thu Mar 28 15:04:01 GMT 2019


Hi,

On Thu, 28 Mar 2019 at 15:21, Kevin Ottens <ervin at kde.org> wrote:

> Hello,
>
> On Thursday, 28 March 2019 14:33:59 CET laurent Montel wrote:
> > I am against to force mandatory review, as it will create a lot of lose
> of
> > time,
>
> As I said, unpopular.
>

I don't get why mandatory code reviews are so unpopular.

I don't care if you lose time. I don't want the guys building my house to
cut corners mixing my concrete because it's going to save time. Why are you
in such a massive hurry to make changes to software which for example holds
access to my Google Account password? In fact, the very fact that you make
this argument makes me wonder if I'm running trustable code on my computer
at all, because apparently doing it quickly is far more important than
doing it right.

As a user, I simply do not want unreviewed crap running on my computer.
Yes, crap, because no software engineer writes bug-free code all the time,
and if you're so overconfident that you don't need reviews on even your
one-liners, you're probably too overconfident to be writing good code
anyway, so I'm going to operate on the presumption that if the code hasn't
had more than one pair of eyeballs ever looking at it, it's crap.

As a developer, I know that even one-liners, and especially one-liners, the
sort where you think "meh, this is a tiny little thing, I don't have to be
careful" are the ones that have the most dangerous typos and unintended
bugs. Reviews catch that.

In a project like PIM, if the code hasn't been through review, which
independent party do I trust to verify that you're not, for example,
leaking my Google password to some world-readable tempfile? Do you really
expect every user to read the entire codebase for themselves and make sure
that's not being done? The whole point of having all the code out in the
open for independent audit purposes, to protect your security and privacy
and what not is completely moot if no one else actually looks at the code
anyway. And let's be honest, the code quality of some of KDE's projects - I
wouldn't touch them with a six-foot pole. The ones I would touch though,
all have multiple people looking at the code and reviewing everything that
goes in.

Let me be very clear - even if you're the best damn programmer on the
planet, if *you* wrote the code, I do not trust *you* one inch to tell me
that that code is correct. That verification needs to come from someone
else, someone who does not have a conflict of interest in seeing that code
get into production. This is nothing personal, this is confirmation bias on
the author's part which leads to issues that even though they might be
infrequent, usually have catastrophic impact.

And if "culture" trumps over engineering best practices, it follows that I
should just stop using software produced by this entity because who knows
what it's doing.

Thanks,
Boudhayan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20190328/9cf65de2/attachment.html>


More information about the Plasma-devel mailing list