- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Master of Frist
Admin
Wait.. No HTML comments?
What have you done to the real Remy Porter? :-)
Yazeran
Admin
"Their PRs end up being lengthy flamewars over whether or not they should be following policies."
Now that's trwtf. Just before the pr starts, go through all their old commits and get rid of any which don't follow policy. Then the pr goes 'you haven't checked in any valid code in the last six months, bye'.
Admin
I think there is a mistake in the example of malicious code. AFAICT it should read:
While a malicious config file would fail to do
user_case_conf['downstrem_script'] = 'my_hostile_script'
, it could easily douser_case_conf.__setitem__('downstream_script', 'my_hostile_script')
.Admin
Is the mistake 'downstrem_script' vs 'downstream_script', because that looks like a typo to me ?
Admin
It is never too late to fix the code. Incompetent people bitch about bad code, competent people refactor.
Admin
It is too late to fix the code if it has been delivered to the customer and they aren't interested in any updates.
Admin
If I were the customer and I saw a config file that contained arbitrary Python to be executed, I'd definitely be interested in any updates. In fact, I'd be demanding updates.
Admin
That's why you (I guess) and I are not customers, but developers.
The actual customer probably already implemented some "clever hacks" of their own meanwhile, so this "feature" may never be changed. Even if in the future the application will be ported to another language, they'll have to keep calling a Python interpreter or (more likely) emulate what they think is Python syntax to read those "config" files.
Admin
Ooh, I didn't spot that typo; the typo I was fixing was one with an
=
sign in the expression that wasn't supposed to have one.Admin
Unfortunately, refactoring doesn't make any money.
Although, I've been trying to explain to my coworkers that there are two ways to "make money": by increasing revenue and decreasing (subsequent development) costs.
Admin
Say goodnight, Gracie. (Really old guys will get it.)
Admin
Configuration files contain all kinds of security-critical content: Install paths, security policies, passwords, API keys, you name it. And no-one ever bats an eyelid at that. The simple fact is that most of the time, configuration files need to be subject to the same security constraints as the application they are used by. And using eval'ed snippets of code is absolutely a viable approach.
Gracie was right. George was wrong. Stupid won, and productivity suffers.
<quote> no one really expected to see those code paths change significantly. </quote> Famous last words.Admin
"Unfortunately, refactoring doesn't make any money." ... Preventing the unnecessary expenditure of money is functionally equivalent to "making money""
Admin
My coding standards:
Make it look as much as possible to the official tutorial. Everyone knows it, even you 2 months from now.
Admin
"Unfortunately, refactoring doesn't make any money." Another point - providing higher quality code leads to a higher reputation. Or, supplying code with gaping security flaws leads to a poor reputation when said flaws cause problems (either deliberately or accidentally). Reputation is valuable; it is much harder to gain than to lose.
Admin
Wow, you never bitch about bad code but go about refactoring all of it? Well, at least you'd have a job forever here...
Admin
And if you're about thirty years younger go for the Shatner reading.
Admin
I agree. This is a story about a person who used intentionally misleading mumbo jumbo about security to make a career move. Security is a great way to win arguments when management is involved, because security is poorly understood, but makes people vaguely scared - and what better way to make the scary thing go away than picking the "most secure" option. It's a dirty trick and it works every time, as any experienced developer knows.
Having a policy of involving management in minor tech disputes like this one sounds like an absolute nightmare. Involving management instead of having the dev team agree on their own kills productivity and fosters discord among the devs - except for the Georges out there, who can use the opportunity to manipulate their way up the corporate ladder.
Admin
I do both ... that way I look good twice over.
"I notice that the programmer of this module appears never to have heard either of code reuse or looping. Or, looking at it a little more closely, arrays, either. Or the singleton pattern. Or, well, never mind, I've rewritten it so it's now one tenth the size, and now it takes one twentieth the time to run."
Admin
We used to have plugin support not dissimilar to this in our application — after a number of (unintentional) cases where plugin code ended up interfering the application, I spent some time figuring out how to sandbox it... make it an actual plugin rather than letting the clients monkey-patch our code...
Admin
"George and Gracie"
Admiral! There be whales here!
Admin
Try telling this to some PHB. You not enterprise think. Subsequent will be after bonus payout.
Admin
A good hack goes right through the log into your foot.
Admin
Some Dunning Krueger at it's best!