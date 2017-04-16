Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Programming IT

Ask Slashdot: How Would You Stop The Deployment Of Unapproved Code Changes? 58

Posted by EditorDavid from the tested-in-production dept.
Over a million lines of code -- in existence for over 10 years -- gets updates in six-week "sprints" using source control and bug-tracking systems. But now an anonymous reader writes: In theory users report bugs, the developers "fix" the bugs, the users test and accept the fix, and finally the "fix" gets released to production as part of a larger change-set. In practice, the bug is reported, the developers implement "a fix", no one else tests it (except for the developer(s) ), and the "fix" gets released with the larger code change set, to production.

We (the developers) don't want to release "fixes" that users haven't accepted, but the code changes often include changes at all levels of the stack (database, DOAs, Business Rules, Webservices and multiple front-ends). Multiple code changes could be occurring in the same areas of code by different developers at the same time, making merges of branches very complex and error prone. Many fingers are in the same pie. Our team size, structure and locations prevent having a single gatekeeper for code check-ins... What tools and procedures do you use to prevent un-approved fixes from being deployed to production as part of the larger code change sets?
Fixes are included in a test build for users to test and accept -- but what if they never do? Leave your best answers in the comments. How woud you stop un-approved code changes from being deployed?

Ask Slashdot: How Would You Stop The Deployment Of Unapproved Code Changes? More | Reply

Ask Slashdot: How Would You Stop The Deployment Of Unapproved Code Changes?

Comments Filter:

  • That right there is a part of the problem. Software testers report bugs. Hints about potential bugs can come from end users, but end users are not software testers.

    There is no substitute to a really good (professional.... and paid) software tester that and reliably reproduce bugs that need to be removed. If anything, they are far more valuable than even code monkeys writing thousands of lines of code per month (something also largely irrelevant for quality software). If anything, I would pay the softwar

  • WTF? (Score:1)

    by Anonymous Coward

    Fire the manager. This sounds like very bad management. This is a process to follow, not a tool to blame when developers fuck up.

    I used to work as a QA manager. What I tested and accepted was generally committed and released on my OK and the senior Dev was rational and sane so we were almost always on the same page. The one time we really disagreed, he reminded me I wasn't his boss. I agreed, then repeated previous points made by our shared boss, and then he promptly gave in. Our boss was really good at

  • In addition to the feature branching you could also look into feature toggles. A feature toggle is a variable used in a conditional statement to guard code blocks, with the aim of either enabling or disabling the feature code in those blocks for testing or release. While this approach would not prevent unapproved code from being in a release, it would act as a gatekeeper to determine if a specific feature should be exposed to the end user. I however am not sure how you could address your concern for the dat

  • More money, better computers, whatever it takes - get a subset of the users on board to test the new code before it's final.

  • If it's not strictly a bug fix, feature flags are a good way to go. Keep a standard of adding any reasonably sized addition behind a feature flag. That way it's easy to turn on/off your new button, or swap between two methods of doing something.

    If it's testable, have a code review and release process built around difference testing. Reviewers have to sign off on the externally visible differences in the code's effect. Release engineers can close bugs based on expected diffs and reject releases in the fa

  • isn't this pretty straightforward? (Score:3)

    by ooloorie ( 4394035 ) on Sunday April 16, 2017 @11:20PM (#54247087)

    Fixes are included in a test build for users to test and accept -- but what if they never do? Leave your best answers in the comments. How woud you stop un-approved code changes from being deployed?

    - You set up the central repository to only accept code if it can be merged and results in all tests passing.

    - You make sure that there is defined code ownership and that people can only change code with a review and with the approval of the owners, also enforced by the source code control system.

    Long-term, there are two more things that should happen:

    - Developers need to learn how to break up large diffs into many small, individually testable diffs.

    - You need to break up your codebase so that it's not a single project with 1Mloc, but 50 small projects with 20kloc each.

  • Presumably you tagged the sources that went into the build that went to your customers?

    If you did, when you make bug fixes you need to check out against that tag, not to the bleeding edge code where new features are being added.

    Depending on how many fixes there are and how complex and messy the source tree is, you can either try to merge the changes into your bleeding edge code base or make the changes twice. In general, if the bleeding edge is being vigorously refactored or otherwise aggressively reorgani

  • and the "fix" gets released with the larger code change set, to production...

    The problem here is that the fix "gets released." I agree, that it seems like releases should at least have the criteria that at least one other person has reviewed the code being released. Otherwise, they have the criteria that one person decided to release it (by definition.)

    I think you could create a system by which pull requests are approved by someone other than the person that created them, and then, after it's been approved,

  • MODULE based languages help by isolating code changes to smaller chunks that are more easily tested.

  • Step One (Score:1)

    by Anonymous Coward

    Step one is to get high-level management to understand and agree with the risks as well as to understand and agree with the costs of preventing them.

    You would think that this is a no-brainer, but its not. I've listened to a COO tell me from across a boardroom table that they have to be able to bypass deployment processes for business-critical hot fixes because time is of the essence in those situations, and that was the end of it. So what you've got is that in an "emergency" an "informal" approval from an

  • Microservices (Score:3)

    by lucm ( 889690 ) on Sunday April 16, 2017 @11:45PM (#54247183)

    When people are worried about changes in "many layers of the stack", it's usually a good time to re-architect the system and build microservices. Basically, you get the entire stack in every microservice and you stop worrying about ripple effects; you upgrade or troubleshoot things at a much smaller scale.

    I highly recommend this book:
    https://www.amazon.com/Buildin... [amazon.com]

    It explains how to achieve this, including how to deal with the tough parts like the database layer.

  • Developer's head on a pike as a warning to others. The hint will be taken, I promise.
  • This link [youtube.com] is great in relation to how Linus deals with a huge distributed codebase. It's actually what convinced me GIT was superior to SVN.

  • You lay down a CVS Tag and the build technician builds from it. Releases are clearly identified with an MD5 identifier.

    If only one official binary exists, it's what people will run.

  • Next person to release an untested line of code will play the piano for us *SLAM*

  • for testing. That means full blown test environments as well as time in the user's day or a special team to test bug fixes. Also if you go with a team don't outsource that team to the lowest bidder. They'll just pass everything as "OK" and spend the rest of their time looking for a better job. Hire somebody, give them a decent salary and benefits.

    Unless testing really isn't that important. Depending on your needs it might not be (despite all the indignation that engenders). One thing I've learned about
  • Obviously, you'd allow the "community" to look at bugs and submit issues, but it seems as though in trying to prevent bad blood, there's no chain of command in these kinds of projects. The person with the highest bug fixing record gets the final word, followed by the "new features team" rather than adding features and then try to fix conflicts; this is where the original author of the project has the final say over the top bug fixer if they aren't one in the same. If multiple solutions exists to a bug, offe
  • Tools are one route, but they will take time & money to implement which you may not have and don't usually resolve the underlying problem of lack of responsibility or process. There are numerous integration tools that can bring together your source control, testing suites & feature tracking tools. In addition DevOps and release management software can provide automated workflows but again you are talking a rather large spend in time, money or both.

    Communicate
    Remove the stigma that developers can

Slashdot Top Deals

It's not hard to admit errors that are [only] cosmetically wrong. -- J.K. Galbraith

Close