[gleenn]

I find the lack of tests pretty appalling for this code. How do people ship code and never see something like a user login failure case etc. People talk a lot of trash about TDD, but I feel like a lot of senior devs make this highly egotistical "I know better" argument all the time and I've seen a lot of hot garbage for code because people were too busy to write the test.

[lbriner]

I think the challenge is that unless you consider and write the tests first, it is easy to create tests that pass. Test ssl verify? Easy, just mock it returning 1 and the code passes. In real life, however, maybe the return value is -1 and maybe that doesn't work.

Maintaining tests for these sizes of projects is probably quite arduous too. I don't disagree but I still think there are many genuine reasons there are no/not enough tests around this sort of code.

[gleenn]

Genuine reasons but ones that still aren't good enough right? There shouldn't be some bar where it was just so difficult on the developer to ship broken security code. If it's that hard, stop writing critical software components and go home.

[danuker]

Would tests have found the 1-in-256 password issue for MySQL?

Perhaps property testing, like QuickCheck. I don't think that is exactly TDD.

But I agree with tests and TDD in general.

[pards]

> I've seen a lot of hot garbage for code because people were too busy to write the test.

I've seen a lot of hot garbage for code because people were too busy writing the tests and ignoring the readability and idiomatic norms of the production code they were writing.

[gleenn]

I firmly believe in TDD where you write the test, watch if correctly fail, make the test in the simplest possible way, and then refactor to make it more readable or idiomatic. Red, green, refactor. I'd rather try and fix ugly code that has tests than try and fix ugly code with no tests. Doing the latter is almost impossible sometimes because you don't even know the exact intent of the code or why some edge case is there etc.

[euroderf]

"the lack of tests pretty appalling" => "your lack of tests disturbing". You're welcome :)