[creamytaco]

Reviewing code is the elephant in the room. Filosotile -perhaps out of ignorance or disconnect- fails to mention that the vast majority of open source projects (log4j being a great recent example) are absolute shit. Nobody should be building anything on top, nevermind giving the maintainers more money.

In-house development, software BOMs, rising of standards and multiple rounds of code review are the processes that the industry is shifting towards and for good reason.

[wpietri]

I would be fascinated to see your evidence that in-house code is any better on average than open-source code.

I haven't done a lot of consulting lately, so I haven't seen much in-house code in the last few years. But my experience is that the average in-house codebase is worse. And that makes sense from the incentives. Open-source projects that want more than one contributor need to be approachable enough that people join in. Whereas with most in-house code, people commit to working on it without ever seeing it. Switching to work on another open-source project is easy; switching to another job is hard. Open-source authors get to decide when to release; in-house code is generally driven by execs. And so on.

[pixl97]

As someone that has to support a lot of in-house code, yea, it's a bunch of crap too.

"Works good enough" is how our world generally operates unless under strict regulatory guidelines.

[creamytaco]

I worked at engineers-call-the-shots fintech and later SV shops for many years. No, their in-house code is not worse than open-source.

In fact one can safely say that top companies that attract top talent also have methodologies in place that lead to better than average code quality.

[the_af]

If you are comparing the top engineering shops to open source, you should also pick the top (quality) open source projects. Apples to apples.

Most in-house code is crap.

[the_af]

> In-house development

... keeps resulting in shit code, too! There's no evidence standards of quality are rising. In my own extremely limited view of in-house software -- i.e. my own professional experience -- code quality is crap, standard quality practices are very low and actually worse than in FOSS projects (I've seen someone mention more than once that "this crap PR simply wouldn't fly if this were an open source project, it's so bad nobody would want to review it!"), absolutely dumb bugs keep hitting production, and people think of automated testing as "that thing we don't want to do".

In-house code is just code you don't know is garbage because you cannot look at the code.

[moksly]

I didn’t say in-house code was good, but it does keep you from being exploited by things like what recently happened with NPM.

Companies genuinely don’t care about the software they use, as long as it works and isn’t hacked. This is especially true in non-tech enterprise. At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

What I’m postulating is that this is the alternative to the current status que.

I’d personally love for NPM to review their packages, or for a big player like Microsoft to step in and make a more limited platform with reviews, but I just don’t think anyone is going to be willing to pay for it.

[the_af]

> At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

But the same is true of open source. I thought you wanted non-shit software.

In-house software is easily exploitable and full of security bugs as well.

[moksly]

I think I’m too senior to believe in non-shit software.

I work in non tech enterprise. You’d think that things like the ransomware scandals, GDPR, the increased risk-awareness would have improved the business processes or management awareness or all the things are “corporate digital maturity” but the pressure to get things done fast with minimal resources has frankly never been higher.

In that environment we’re always going to have shit-software. If anything I agree with you, which is why I said that I thought that the current status quo was the best ever.

[moksly]

I didn’t say in-house code was good, but it does keep you from being exploited by things like what recently happened with NPM.

Companies genuinely don’t care about the software they use, as long as it works and isn’t hacked. This is especially true in non-tech enterprise.

At my former place they still had hundreds of ASP Webforms with custom in-house ASP libraries that were utter shit, but they worked.

[watwut]

The industry is nor moving towards multiple rounds of code review. Nor towards in house development nor away from using open source.

[creamytaco]

Every engineering-driven fintech company I know of (having myself worked there or having friends who work there) is doubling down on every single one of the processes I mentioned.

[geodel]

Yeah, and that is about 0.1% of total amount of software assembled and deployed in the world. It is like saying all my friends drink Evian water so that's the way we handle clean drinking water shortage in the world.