[tbrownaw]

> The commit that added this flaw to sudo claims to fix a parser bug but includes no tests. There is no reason for the author, the reviewer (if there even was such a person), or anyone else to believe that the bug existed or was fixed by this change.

"The PR does not include tests" is not the same as "nobody performed any tests" is not the same as "nobody actually noticed a bug".

And of course, it's perfectly reasonable to form beliefs about code from reading it.

[saagarjha]

Tests you perform locally should probably be described, if not encoded into something that other people can run as well.

[TomSwirly]

"You can't prove no one tested that!" is not really a good basis for robust software design.

[jonhohle]

In addition to the value of repeatability, it’s just being a good human to show and share your work.

[iovrthoughtthis]

> And of course, it's perfectly reasonable to form beliefs about code from reading it.

Broadly yes, but it would be hubris to claim you can tell the correctness of all code from merely looking at it.

[cheph]

For some code you should be able to do this, and if you can't then I don't think you should be writing code.

Coding is not brute forcing. I feel like this is taking an extreme position at the complete opposite end from not testing anything.

EDIT: Misread the comment I replied to. I agree that it is not likely that anyone can tell the correctness of all code from merely looking at it.

[kaba0]

For some code, yes. What about a complete refactor of the core functionality of said program, with parallelism and the like?

[cheph]

I misread the comment I think, but either way, I am not arguing against automated tests, I was just trying to point out that for some fragments of a code base you should absolutely be able to tell correctness by looking at it.