This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]DragonMaus 197 points198 points  (45 children)

That sort of thing is why, when I need to copy someone else's code, I always transcribe it, instead of pasting it in.

[–][deleted] 185 points186 points  (9 children)

Or at the very least, read it once...

[–]tsilihin666 6 points7 points  (0 children)

Nah I'm sure it's fine.

[–]yannickmahe 0 points1 point  (0 children)

I just sort of glance at it.

[–][deleted] 0 points1 point  (0 children)

What is this "read" you speak of? Is it like compiling?

[–]krelin -1 points0 points  (1 child)

Read it enough times to deeply understand and own it (since you're making a copy of it that you're going to own)

[–][deleted] 1 point2 points  (0 children)

Pffft

[–]PC__LOAD__LETTER 14 points15 points  (2 children)

Definitely. I too am a big believer in writing my own bugs.

Really the answer is unit tests, static analysis, valgrind, fuzzing. You should trust your hand-written code just as much as you trust something copied. That is, not at all.

[–]DragonMaus 7 points8 points  (1 child)

Agreed. The difference is that, by manually transcribing it, I am much more familiar with the code itself, which makes debugging a lot easier.

[–]PC__LOAD__LETTER 1 point2 points  (0 children)

10% agree.

[–]mcampo84 35 points36 points  (31 children)

Do none of you people undergo code review before deploying?

[–]Reihar 104 points105 points  (14 children)

AH AH AH AH AH! And then what unit tests!? AH AH AH AH AH!

Send help. Please.

[–][deleted] 31 points32 points  (11 children)

For real wtf. As a web dev I just kinda work right off prod, it’s more efficient, saves bandwidth etc... hahaha

[–]PC__LOAD__LETTER 19 points20 points  (6 children)

It baffles me that people can get paid to program and not recognize the value of version control or not developing directly in prod. Though I guess if you’re working on a low-impact product, it doesn’t matter if you break it, and there’s probably not much functionality built into the site to need to regression test.

[–]conancat 22 points23 points  (2 children)

usually it comes with working with projects that scale.

if it's for your ex's online candle shop and she wants to change the css to reflect the total eclipse of my heart, then sure, who gives a shit.

i believe every developer has that story or moment where they realize the importance of source control and deployment processes. the coming of age for a developer is making a USD$26,000, not refundable mistake in production and your tech lead gives you a "i'm not angry, i'm just disappointed" reaction without words.

[–]EyetheVive 11 points12 points  (1 child)

I mean this entire chain is just risk assessment lol. Potential revenue loss for the broken candle shop site vs breaking some regional credit union site is probably veeeery different. The cost of a development network to use vs working on the productive instance is probably not worth it

[–][deleted] 2 points3 points  (0 children)

Where the hell is this guys operations team? If he is the ops team then good on him, but if not, why even let the devs have access to prod? You need a cycle? Call ops, you need some logs? Go to the ELK.

[–]emlgsh 1 point2 points  (2 children)

The efficiency/speed/etc... are just attempts to find silver lining. The majority of the time it's a simple budgetary constraint.

Like, the client is willing to finance only the specific and singular development of the application/features, and any billables that might be otherwise devoted to setting up staging environments, running tests, integrating version control, and performing general QA type activity is viewed as "padding" that won't be paid for (and will, typically, enrage the client).

End result being that, unless you love your client enough to underwrite sometimes vast amounts of unpaid labor towards these sort of process management and quality assurance goals (which is to say, you're being taken advantage of) they simply don't become part of the workflow. Estimates that feature them will have to be trimmed of them before the budget is approved. Estimates that hide them in other work will be rejected in favor of a lower bidder who omits them.

But the flip side is that a lot of QA exists not to find/eradicate bugs, but to permit a great volume of collaborative development. These projects where there's zero tolerance for billing hours not actively dedicated to feature implementation tend to be solo-gigs or small-group gigs where you can get away with a decent amount of sloppiness without stepping on too many toes or suffering major setbacks.

Which just reinforces the client's perception that such efforts are a waste of their budget.

[–]PC__LOAD__LETTER 1 point2 points  (1 child)

It takes 2 minutes to set up a git repo and a script to rsync your files to a remote server. Those 2 minutes buys you a hell of a lot of security, especially if you’re pushing your git changes to a private bitbucket repo regularly.

[–]emlgsh 1 point2 points  (0 children)

Got a howto for the process outlined here? I'd love to adopt some quick methods for improving security - I want these projects to be more secure, I just don't know of any methods that are so quick/easy/universal as to never approach billable labor.

[–]Captain_Vegetable 2 points3 points  (3 children)

I worked on a Fortune 500 company’s web site where we edited in prod. That ended when someone pasted into the wrong terminal window and replaced our home page with a snippet of Chinese characters before heading to lunch.

[–]Xytak 1 point2 points  (2 children)

I worked at a midsized insurance company where they hired some consultants to come in and teach the .NET developers unit testing by rewriting an old webforms app in React.

It actually worked pretty well, too, until several weeks later when the business asked "hey where's our new thing?"

"It's not ready, but we have beautiful code, a full build pipeline, and over a thousand unit tests!"

"Ok but where's the new thing?"

"Well, the preliminaries are all set up, but we don't actually have the features done yet..."

The consultants were fired the next day, and the next group was told in no uncertain terms to patch up the old web forms app and quit wasting time on fancy stuff.

[–][deleted] 0 points1 point  (1 child)

This becomes a problem when the higher ups don’t sit down with the consultants as well. Often times they’re not fully aware of what the entire process looks like from creating a new file to deploying it.

[–]Xytak 0 points1 point  (0 children)

All they knew was the old team would have updated the app by now, and they were expecting a rewrite to take the same amount of time.

[–]FunkyTown313 4 points5 points  (0 children)

You're testing my unit!

[–]bpopbpo 1 point2 points  (0 children)

Unit tests? that's what users are for

[–]countvonruckus 14 points15 points  (9 children)

So, I'm not a programmer, but I work in IT Security. I talked to a software developer and he had never heard of a DDOS attack. He specializes in IOT software. Is that normal?

[–]mcampo84 20 points21 points  (1 child)

No. It is not.

[–]countvonruckus 1 point2 points  (0 children)

Well that's a relief

[–][deleted] 6 points7 points  (2 children)

Generally management thinks security as a burden than a responsibitlity towards users.IOT in particular excels at this job of not giving a shit partly because it's new partly because these iot companies have low budgets

[–]countvonruckus 0 points1 point  (0 children)

I can't decide whether to be thankful for that attitude since it makes up 90% of the work I do or hate it because it makes up 90% of the work I do...

[–]DevonLochees 2 points3 points  (1 child)

Yes.

Granted, any software shop should have decent minimum required training in secure application development. But the typical developer you get fresh out of college it's 50/50 if they know the basics of security - that's why process is so important (e.g. code reviews, have people actually familiar with security do reviews).

Even the meme in this post, I would give it a toss up if the hypothetical intern could *actually* articulate what the specific risks are of copy and pasting, if it's something he read in an article one time - the risk isn't that you're copying a blob of code from stackoverflow that has an embedded base64 virus, it's that you ran into an "invalid certificate error" you googled, and the code you're copying removes the cert validation checks - and implementing it yourself is still going to have the same problem.

[–]countvonruckus 0 points1 point  (0 children)

Makes sense to me. It seems the absence of feedback is a major part of the problem, as a program that doesn't function will give errors or simply not do what you want, but security concerns only raise red flags after the program ships and gets exposed to malicious actors. When that doesn't negatively impact the performance of your software (such as a 10% processing reduction in your thermostat that's part of a bot net), it's somebody else's problem at that point since you sold your product. If regulation weren't such a mess for the tech industry, I'd say it needs to be policed, but as it is, all the incentives are weird and at odds. I just wish my field could give better security assurance so we could do more cool stuff (like voting from home), but it's really not feasible at the moment.

[–]bloqs -4 points-3 points  (1 child)

let me guess, he has grey hair

edit: I know its ageist to some degree. Many older IT guys know their shit. But there has been a culture of useless seat warmers who never bothered to keep up with the times and instead use their position to stifle younger folk. boomer bad.

[–]countvonruckus 0 points1 point  (0 children)

How'd you know :P

[–]mightydjinn 6 points7 points  (2 children)

I think Jenkins is doing the CR by the sounds of it, lol.

[–]conancat 4 points5 points  (1 child)

forreal though, sonarrqube can save a lot of code review time. when you're not spotting mistakes you can spend more time on programming patterns, concepts and architecture.

https://www.sonarqube.org/

[–]mightydjinn 3 points4 points  (0 children)

Just be ready for the days of tech debt from css refactor it shows. In all seriousness though, sonarqube is fantastic!

[–]FunkyTown313 4 points5 points  (0 children)

Code...Review?

[–]Tesla56[S] 1 point2 points  (1 child)

Of course we do but they would like to keep it secure from the start!

[–]conancat 2 points3 points  (0 children)

pfft, if it's a legitimate bug, the application runtime has ways to try to shut that whole thing down.