[ozim]

I might be security LARPing but if someone doesn’t need to read the code to be able to do his job he just shouldn’t have access to do it.

Person might have been trustworthy when they were hired and they might change their mind at some point.

Even better - they still might be trustworthy but their computer got compromised and someone might be using them.

Maybe some other employee has problems with them and since they have access malicious employee can indicate trustworthy one in some way. Like posting copy of code somewhere online with nickname used by that one.

I know such things don’t happen often but even for mundane things like phone numbers you just don’t give phone number of your friend to a person you both know without asking that friend in first place.

[genmud]

I’m an actual security guy, been doing it for nearly 20 years (before it was a thing). I’m of the opinion that if I can’t trust people to look at code, they shouldn’t be at the company. Period.

There are very few use cases where I believe read only access to code from people in product, engineering or support should be restricted. Generally the net benefit is well worth the potential risk introduced.

If you are worried about people stealing source code, invest in a DLP or CASB solution. If you are worried about ransom, don’t allow changes without PRs, implement a backup program and harden your endpoints. Not allowing people to do things that helps them understand the systems they work with is a recipe for shadow IT and promotes organizational silos.

[dzhiurgis]

Kinda get your sentiment, but you missed parents point. Whoever creates tickets SHOULD be able to at least skim code, do basic PR reviews, test a build. "I create tickets only" sounds like a toxic role.

[apologia]

Exactly. If you are capable enough to file useful tickets you are capable enough to read the code, run it locally, test out changes, tweak copy, etc.

You are wasting money paying people to write tickets and not read code.

[ralferoo]

I think you have a very narrow view of software development practices. In most companies I've worked at, most tickets are created by the QA team, few of whom have ever seen the source code and there's no reason why they'd ever need to.

They raise a ticket about the problem they encounter, and then other people triage it and try to find a way to reliably repro the issue, and then it gets passed to the development team when there's something actionable.

[dzhiurgis]

I've worked in various companies as a developer and my worst experiences were where access to code is restricted, but BA's create these esoteric tickets with about 3 words in description...

I'm happy for them to raise tickets within their realm (and by the way lets not conflate support tickets vs actual work items), but please have some manager sift them thru into something meaningful.

[atonse]

What’s toxic about it? Tickets have a business need. They may have notes on implementation but if they aren’t serving a business need why do they exist?

[dzhiurgis]

IMO business needs shouldn't be a ticket - have some refinement first then explain clearly what do you want me to do.

IDK why it's hard for me to explain my sentiment, but I've worked in corp environments with large teams of averages using JIRA vs small teams of smart remote people. In the later my tickets were almost always very clear resulting in 1 or 2 short and tactical meetings per week. In corp environment I have 10 meetings per week spanning hours. The productivity is easily 10x worse.