Hacker News new | ask | show | jobs
by disintegrator 173 days ago
My understanding is code reviews are needed as part of SOC-2 compliance. More to supplement automated testing than explicitly mandated. In other words, it makes auditors happy to check off the requirement about verifying changes going to prod.

The remarks about code comments are little too extreme in my opinion. Some code can be difficult to understand at face value. Like I’m writing a Vite plugin and it has code like this:

    const moduleId = "virtual:mypkg";
    const resolvedModuleId = "\0" + moduleId;
Unless you’ve written Vite/rollup plugins, which many folks haven’t, you’re going to appreciate a comment that at least points to some docs.

If anything, succinct code comments that explain obscure conventions or describe relevant critical requirements are worth their weight in gold because they are valuable tokens for a coding assistant.
2 comments
disintegrator 173 days ago
I generally think most of the points made in the article are a little too extreme. Even feature flags are valuable if you’re trying to get something up for certain key customers to give feedback on while you iterate as an example. There is some hygiene required around maintaining and removing flags but I think that’s in the same bucket as writing tests, updating dependencies and refactoring code: worthwhile effort that additionally unlocks testing in production.
link
philipallstar 173 days ago
> I generally think most of the points made in the article are a little too extreme. Even feature flags are valuable

From the article:

> I definitely think you should use feature flags - just not abuse them.

link
AntonZ234 173 days ago
I don't think the right solution is to have the opposite of them - all of them have some value. The point of the article is to not follow them blindly.
link
justincormack 173 days ago
SOC 2 is in theory not that dogmatic about how reviews happen, and I do know people who do reviews after merge and deployment for example with soc2. You need to have compensating controls and work with your auditor. Most people just go with the default of reviews pre commit.
link
disintegrator 173 days ago
Yep, no dispute here. It's just that my and other people's experience is that SOC2 controls are usually passed down by edict and whether you review before or after merge, there's typically (from my experiences at SaaS/Fintech) some form of reviews happening. I've done both styles in the same company for different reasons.
link