|
| gandutraveler wrote:
| On top of what others have already flagged this is a big no for
| any companies security & compliance. Why would any company share
| their private codebase ?
| ddm379 wrote:
| Disclaimer: I'm Dan Mateer, COO at PullRequest
|
| Great question; security and compliance is a very big
| consideration for our customers. All code review on PullRequest
| is done within the platform, engineers in the PullRequest
| network cannot clone branches like in a garden variety source
| control, and we have a number of tools to give clients as much
| control as possible as to what our platform and engineers in
| our network are exposed to (e.g.,
| https://docs.pullrequest.com/pullrequest-docs/code-review-
| se...).
|
| We work very closely with our customers to ensure
| configurations are set up to provide our engineers with
| adequate context while limiting or outright restricting
| exposure of things they want _private_ private.
|
| This is also a big part of why PullRequest Reviewers are by and
| large restricted to US-based engineers. This ensures accuracy
| and consistency of criminal background checks and ease of
| enforceability for our non-disclosure agreements. From a legal
| risk assessment perspective, using PullRequest is similar to
| hiring a technical consultant.
| nathanielarmer wrote:
| I'm a reviewer on PullRequest, and thought I'd share some
| perspective. Happy to answer any questions in comments.
|
| Background - I've built and led engineering teams at multiple
| fast-growing startups. In doing so I've seen the incredible value
| PR's can provide, but also the huge cost of them on small teams.
| I review on PullRequest part-time as I work full-time building a
| startup.
|
| Many of the critics here are right. The PullRequest service won't
| catch every bug. As reviewers on this service, we lack context*
| to fully understand the impact of every code change.
|
| However, this can be a blessing in disguise. As an outsider, I
| bring an entirely different set of context to the project. I can
| see errors or improvements that teams have become blind to, I
| don't have the pressure of shipping for X release, and I've often
| been not only where these teams are, but where these teams want
| to be in X months.
|
| This is all done without using any man-hours on the client team -
| which is often a critically short resource.
|
| Ultimately the proof is in the pudding, I raise comments on
| almost every single review I do, raising from best practice to
| architectural to security vulnerability, and the majority of the
| time teams take that feedback onboard.
|
| Other QA:
|
| Where are you located? I'm located in San Francisco.
|
| Who approves PR's? I tend to consider my role to advise and
| sometimes mentor. I will give opinions, but it ultimately the
| client's job to approve/reject PR's.
|
| My code is great, I don't need this! Have you tried it? As an
| outsider, I catch peoples blind-spots. That said, PR is always
| looking for great reviewers to join the team!
|
| * It's worth noting, that between seeing the code, optionally
| having access to the full code base, and asking questions of
| developers - I develop a decent mental model of most projects.
| Jach wrote:
| Here's a question: do you get pushback about "best practices"?
| (Sometimes really just "standard practices".) If so, which ones
| in particular? And do you actually continue trying to explain
| why it's a good idea, or just throw up your hands with a
| feeling of "I gave my advice, they can ignore it at their
| peril".
|
| Having actually convinced people of the value of certain
| practices (like favoring fast focused unit tests over slow
| broad integration tests that happen to require the full system
| to be running), which leads to smoother and more succinct
| reviews in the future -- like "please add tests" doesn't even
| need to be said if the developer values them and already wrote
| some -- I don't know if I'd put up with the stress of having to
| fight the same battles week after week with a new group. Though
| I suppose it's possible that you might get good at convincing
| people of a certain thing, and the ease of convincing can
| reveal whether the thing is really closer to "best" or just
| "standard".
| nathanielarmer wrote:
| I've gotten pushback on best practises, especially from more
| junior developers or developers on a tight deadline.
|
| I do C# and one common, yet trivial example is poor naming
| conventions.
|
| As a reviewer we have certain tools we can use to encourage
| change: * We can make comments low priority, so the advice is
| there, but it's skippable. * We can make summary comments,
| that are opinionated but don't expect any immediate or direct
| resolution (great for architectural thoughts). * We can
| include example code snippets in our comments. This reduces
| the burden for the developer to adopt a certain change. I've
| even gone to the extent of writing small programs to validate
| a refactor or prove an error exists. * Sometimes it's not an
| error, but how that company wants X done. We take note of
| these for future reviewers.
|
| Overall, this is a diplomacy game, the only power we have is
| soft power. I find it good practise, as I'm typically a
| direct kinda guy.
|
| Results?
|
| I've seen a lot of developers, after being introduced to new
| ways of working, implement that on later PR's. Sometimes
| immediately, sometimes after it arises a few times. Examples
| include improved naming, better code structure, usage of
| newer language features, more clarity in the code, or better
| SQL injection protection!
| Jach wrote:
| Thanks for the reply! It's nice to hear that a lot of devs
| are receptive to change and aren't treating the service
| hostilely. I like that there's categorization with
| expectations encoded in the category, I can see it helping
| a lot of things. A huge chunk of my reviews used to be in
| Code Collab, which... lacked certain desirable things. (But
| it got right a few others, so using it wasn't a totally bad
| tradeoff.) One of those I wanted was useful categories --
| by default you just have review comments with the only
| alternative being a bright red Defect comment that would
| block closing the review until addressed -- but it was
| rather annoying to all parties and so few people used it.
| Different conventions arose to try and address the issue
| but they tended to be team specific. One of my own was
| prefacing those low priority things with "Nitpick: " or
| similar like in "Nit: add space between if and (". Another
| convention came from being able to make file-level comments
| that aren't targeted at a particular line, the reviewer
| might preemptively check off the file if they don't expect
| any action and it's just broader discussion/commentary, or
| leave that step undone until some sort of response (maybe
| just clarification) or possibly broad code changes has been
| done.
|
| I've sometimes had trouble convincing some older
| programmers about using new (or even not so new but
| slightly 'advanced') language features like Java lambdas or
| Optional or generic types (juniors/interns were often aware
| of and happy to use the new stuff already), to the point
| that for specific individuals I'd just give up and focus my
| review efforts on other aspects. However if I ended up
| touching that code myself later on, or someone else did
| whom I was reviewing, I'd use those newer
| features/encourage the other person to use them if they
| weren't already, and if the original person ever came back
| to it they'd face an argument of local consistency against
| trying to change it back to using the old ways. It seems
| like the approach of longer-term encouraging and supporting
| a pocket of engineers pushing for better practices would
| actually work with this service given the ability to make
| notes for future reviewers. Another flaw in Code Collab was
| its atrocious search which made it hard to find prior
| reviews about a set of files.
| ssully wrote:
| I see a lot of comments regarding lacking context/knowledge of
| the full system/integration. I get that, but I think there is
| real value here. I have absolutely worked on teams where they
| were fire fighting for months at a time, where there were 1-2
| developers total, and just not enough time or resources to do
| proper code reviews. While this service could miss big picture
| things, it could absolutely catch low-mid tier issues.
|
| My biggest issue would be from a security perspective. The
| background checks and everything are nice, but there are some
| systems I would just never let this service touch.
|
| Overall, this is interesting! Wish the team behind it the best of
| luck.
| imglorp wrote:
| I hope my boss doesn't think, "It's cheaper to pay for this
| service than for us to review our own PRs. Outsource ++!"
| GrahamCampbell wrote:
| Cheaper in the long term to do both. :)
| est wrote:
| I hope it can review popular code on github.com automatically.
| [deleted]
| jcadam wrote:
| I received an invite to pullrequest nearly a year ago, filled out
| the application, and never heard from them again.
| grenran wrote:
| There's no way that Google would actually use this service.
| ceejayoz wrote:
| SaaS apps tend to slap a logo up when there's a single free
| trial account with a @google.com email address.
|
| (In this case, they seem to be claiming Google engineers are
| moonlighting as reviewers, not using the service for reviewing
| Google's code.)
| adamnemecek wrote:
| Google has invested in pullrequest and some engineers review
| for pull request
|
| https://techcrunch.com/2017/12/07/pullrequest-pulls-
| in-2-3m-...
| pledg wrote:
| They have the Google logo in both "Work with world-class
| engineers" and "See why thousands of teams trust
| PullRequest". With the latter being next to the customer
| testimony section, if they are only suggesting that Google
| engineers do the reviewing that's quite disingenuous.
| walterbell wrote:
| _> expert engineers backed by best-in-class automation._
|
| "Automation" = static analysis or something like
| https://codeql.github.com/?
| GrahamCampbell wrote:
| I have performed reviews on pullrequest.com, and lack of context
| tends not to be an issue. Code review is an interactive process,
| where questions can be posed to the PR authors, and PR reviewers
| have access to search the codebase. Customer success at
| pullrequest.com also provide context for the repo and
| organization working practices, attached at the top of PR
| descriptions, to help reviewers with context and to know what
| kinds of feedback are useful. Sast and Dast are still not
| sophisticated enough or widely used enough to be good enough. In-
| house senior and principal engineers often do not have the time
| to be on top of every repo and every PR in their organization,
| and need to outsource an extra pair of eyes. It is highly common
| that I am reviewing codebases that do not have any Sast or Dast,
| or have workarounds to silence the tools, resulting in bugs and
| security issues slipping through. It is very rare that I am able
| to approve PRs without comments, even after an internal review
| has taken place!
| dm03514 wrote:
| > Code review is an interactive process, where questions can be
| posed to the PR authors, and PR reviewers have access to search
| the codebase.
|
| I also performed reviews on pullrequest.com (~2+ years ago?). I
| firmly believe code reviews are an interactive and knowledge
| sharing process but was explicitly told NOT to ask questions
| during pull requests, but instead to make statements focusing
| on bugs and style.
|
| Based on the comments here, this def looks valuable to some of
| pullrequests.com customers. I believe this is more of a human
| acting as a safety net, or risk mitigation strategy, and loses
| the majority of the value that pull requests can provide to an
| organization.
| spmurrayzzz wrote:
| Just curious about the flavor of code you were reviewing. Can
| you elaborate a bit on that? Specifically - any software
| integrations with hardware? E.g. maybe a distributed cloud
| service that talks to on-prem firmware or similar (think IoT,
| cisco/juniper network gear, etc).
|
| There is a whole class of software that I can't imagine someone
| could come in blind to and offer any real value to necessitate
| the balance sheet exposure. But I'm very interested to hear if
| folks there have had to do this (yourself or others).
| skeeter2020 wrote:
| This reminds of the first (and only) time I had a full 360 degree
| review: contradictory, zero-context opinions from people I don't
| know very well who haven't earned the right to interact with me
| in a way required for this minefield of feedback.
| andrewmwatson wrote:
| I've been a reviewer on PR for a couple of months now and it's
| been amazing. I've gotten to help dozens, maybe hundreds of
| developers improved their code, fix security, readability,
| testing and lots of other issues. Sometimes the PR is short and
| the review is short but sometimes it's much more involved and
| I've had the opportunity to really explain things and educate
| people in a way that no lint checker could. I'm able to apply the
| wealth of my experience and knowledge with specific guidance
| based on things I've learned from building software for 22 years.
| I can't think of another way that a company could gain access to
| that kind of guidance for only $699 a month.
|
| I can go into detail explaining how to safely and reliably
| structure something and the feedback I get from the developers is
| positive and appreciative. I also collaborate with other
| reviewers about things we're seeing and I've learned a ton in the
| process because the other reviewers they've all got such a depth
| of experience and knowledge in different areas.
|
| I don't do reviews full time, I have a day job, but I've been
| earning about $1000 a week doing it just some nights and weekends
| and that has been really great too.
|
| Overall, I think PullRequest is an enormously positive thing for
| its customers and the reviewers. We're not trying to replace
| people's existing review processes if they have them. Our goal is
| just to add to our customers' capabilities and I think we're
| going very well at that.
| janikvonrotz wrote:
| Marked as spam.
| lmilcin wrote:
| Except I don't believe in code reviews. Over the years I have
| experimented with pair programming and I think it is way better
| solution.
|
| The one catch with pair programming is that some people just
| prefer to work alone and it is really draining to be talking
| constantly for couple of hours. I have modified the system to do
| on/off pair programming (ie. split up a little bit of work,
| rejoin later in the day, share what we have done, and work a
| little bit together).
|
| The basic, unsolvable issue with code reviews is that the review
| is done _after_ the code has already been written. As you know,
| the cost of fixing a problem is larger the later in the process
| you catch it. Pair programming aims to accomplish the correction
| while the code is being written.
|
| Another huge problem is that, because the reviewer is not taking
| part in the development, he/she does not have the same level of
| understanding of what was supposed to be done.
|
| Also, code reviewers are typically disincentivized from doing
| review well:
|
| * They have other tasks to accomplish, review takes their time
| away from those tasks but the deadlines are not pushed
| automatically,
|
| * The review tends to land at a random point in time disrupting
| their flow -- they have something else in mind already and they
| want to switch to their work as quickly as possible -- meaning
| they will not want to get into great detail with understanding
| the problem.
|
| This causes reviews to usually be very shallow and focused on
| trivia. Usually, I see reviewers read the code file by file line
| by line, hundred times faster than it was written. It is
| absolutely impossible to verify a large change like that and this
| guarantees that they will not actually verify it thoroughly.
|
| Yeah, you may find superficial flaws, but that's about it.
|
| Other problems:
|
| * The developer feels resentment because he/she thought it was
| all done.
|
| * A lot of effort was spent on a wrong solution which is lost
| productivity.
|
| * From project management PoV it is a problem because we can't
| tell how much time/effort it will take until last second.
|
| * Reviewers feel pressure to find _something_ so they will just
| report trivia if they can 't find real issues.
|
| * Reviewers tend to not want to report huge issues that would
| require complete rewrite because they are developers themselves
| and wouldn't want the same happen to them, and also because they
| are typically members of the same team.
|
| * and so on.
| ivanhoe wrote:
| I agree with your points, but the pair programming also has
| downsides, main one being that it doubles the total cost per
| task, and also it's usually limited to 2 pairs of eyes (again
| because of the cost), while code reviews can (and should) be
| done by as many members of the team as possible.
| tcbasche wrote:
| That "doubling of cost" thing is utter rubbish. If you
| produce higher quality code with two people deeply aware of
| the design and maintenance of a system doesn't that reduce
| overall cost? I swear this "doubling cost" is one of those
| myths perpetuated by Taylorist managers. I've never seen any
| evidence to suggest pairing is less efficient overall.
| lmilcin wrote:
| > main one being that it doubles the total cost per task
|
| Oh, that is false. I guess it comes from a simplistic
| understanding of how people work (no, they are not robots).
| You may have two people engaged in the same task, but:
|
| * People are more focused and work faster -- it is much
| easier to stop yourself from procrastinating when you have
| other person on the call.
|
| * You get people exchanging tacit knowledge. With people
| changing pairs knowledge will tend to spread over entire team
| eventually very efficiently.
|
| * You get flexibility of having any of the two people being
| able to continue the task (if one quits, is sick, has to take
| day off or step out for a meeting) -- the work is much more
| likely to progress uninterrupted.
|
| * You get much less chance for the project to get stuck. When
| one person doesn't know how to do something the other person
| might know.
|
| * You will tend to get better quality results (for example
| any bug needs to pass through two pairs of eyes, etc.) -- and
| that means less time wasted on other parts of the pipeline,
| less technical debt, etc.
|
| * When you get a new dev on the team, the first assignments
| are much less likely to get screwed up because you have other
| seasoned dev in the pair.
|
| * You get a natural mechanism to get a new dev onboarded and
| have knowledge transfer -- they get up to speed many, many
| times faster than if they are just dropped alone on a task.
|
| * Good code review isn't free either, it would have to take a
| significant portion of the effort to write the code anyway.
|
| * You get people socialising _while_ doing useful work. Which
| is extra difficult while working remotely. Having tightly
| knit team is very valuable.
|
| * People are overall more happy and engaged when the work
| goes faster. Have you noticed you feel better when you stand
| in one long queue that progresses fast than if you split it
| into multiple queues that progress slowly, even if overall
| wait time is the same?
|
| * Having work done faster (by two people working on it at the
| same time) makes for faster cycle time and in consequence
| lower complexity (less things being worked on at the same
| time). Lowering complexity is very valuable.
|
| * While we are at complexity -- normally doubling people in
| the project does not cause it to progress twice as fast or
| cause the throughput to be twice more. Being able to treat
| two developers as one, uber-developer doing work more
| efficiently is very valuable because it allows counteracting
| at least part of that diminishing returns trend (ie. you have
| have larger team with efficiency of a smaller team).
|
| * As a tech lead this is fantastic way for me to get to know
| people, their strengths and weaknesses. I can then help them
| with weaknesses and maybe learn something from their
| strengths. Getting to know the complete picture of the team
| is extremely valuable.
|
| And many other reasons.
|
| When you take that into account you will find that, if done
| correctly, pair programming will be more efficient.
| Especially long term, because some of the effects take time
| to kick in.
|
| **
|
| Now, working in pairs isn't free:
|
| * Working in pairs requires people to have high standards
| when it comes to their behaviour towards their peers. Working
| in pairs requires absolute adherence to the "no asshole"
| rule.
|
| * As a manager, you need to react very quickly to people
| having trouble working together because in pair programming
| this is going to immediately destroy productivity for two
| people.
|
| * Costs of disruption is magnified when working in pairs. For
| example, if you have to wait for approval for something --
| now you have two discontent people waiting for the approval.
| If one person has to join a meeting -- the other person will
| not be as efficient and they will have additional cost of
| syncing afterwards.
|
| * You probably want to hire people that are specifically
| mentally designed to be able to work in pairs. Some people
| just prefer to isolate themselves and work alone -- these
| will have trouble functioning in a team that uses pair
| programming. It doesn't mean these people are worse, they are
| just worse for that particular team.
| rpunkfu wrote:
| I wish person (people) involved in making this would do some more
| research, it's completely missing a point of PR review.
|
| This is to me a set of linters with human error involved..
| aneutron wrote:
| I will admit that I thought this was a joke on the "SaaS"
| everything trend.
|
| I can see how this works for fairly limited web applications for
| example, but as soon as the application grows in complexity and
| interacts within a bigger system of systems, I am doubtful that
| it would be logistically possible to outsource the code review
| (legally, knowledge transfer wise, and a plethora of other angles
| I'm a tad bit lazy to consider).
|
| Overall, why not, if it's priced correctly, then it's probably a
| set of additional eyes for small projects. But for anything
| medium or higher, yeah, I don't see this realistically working.
|
| Maybe OP (?) can explain if I'm wrong (very likely). There's
| probably something I'm missing.
| dennisy wrote:
| My thought is the same - I was wondering if I had missed
| something!
|
| I really need to find a good mentor for our project :(
| whazor wrote:
| Overall, for bigger and more complicated systems you would have
| an architecture that is peer reviewed and communicated
| internally.
|
| Afterwards you have individual components that have their code
| reviews and still need to follow industry best practices. I
| think external code reviews is great idea as it could allow the
| team to focus more on conceptual reviews and consequences to
| other systems.
| noduerme wrote:
| I've yet to see a company ask for feedback once they were
| done pushing out a half baked API. And if anyone uses it,
| they do get plenty of feedback. As far as whether the code is
| internally badly written... if the guy writing the code can
| understand the suggestion, he's probably already done it or
| decided why not to do it. If he can't understand the
| suggestion, then it's a waste of money.
| cheriot wrote:
| This smells like lead gen for a consulting shop.
| whoomp12342 wrote:
| very often code review requires domain knowledge. This seems like
| it would devolve into arguing over coding preferences
| natded wrote:
| Teaching sand to think was a mistake.
| cannonpalms wrote:
| This entirely misses the point of code review.
|
| Say it with me: Code review is a knowledge transfer exercise.
|
| Finding bugs, security vulnerabilities, and keeping the code
| maintainable are merely side effects that we appreciate along the
| way.
|
| The primary purpose of code review is increasing the bus factor
| of the given piece of code and facilitating organic knowledge
| transfer. That's it.
| vinceguidry wrote:
| I mentioned this idea to a very knowledgeable enterprise
| architect. I was mentioning how much I'd enjoyed being able to
| use the code review process in this way. His reply: As good of
| an idea that is, it breaks Agile. So long as the code meets the
| biz-provided spec, it must be accepted, and if there are other
| concerns with the code, to make a _tech debt ticket_ to address
| it at a later date.
|
| This, of course, horrified me.
| haggy102 wrote:
| Anyone with Architect in their title receives skepticism from
| me. I've turned down title changes that include it and I
| refuse to put it on my LinkedIn.
| akvadrako wrote:
| Even people designing buildings?
| vinceguidry wrote:
| His world seemed completely and utterly divorced from mine.
| He was deeply connected with big enterprises and how they
| manage to meet business objectives regardless of not being
| software engineers themselves. In our world, we take for
| granted that our managers and leadership are technically
| proficient. In his, the "Engineering Manager" is a rarity,
| the people managing engineers are just ordinary managers.
|
| Software architecture, in this world, is how you escape the
| rat race of soulless ticket punching without having to go
| into management. You use your skills and experience in an
| advisory role. Obviously there are better or worse
| architects, I've had the pleasure of working with really
| good ones. But it often feels like a title and field borne
| out of a need to retain top talent. (read, not push them
| away to competitors)
| dangus wrote:
| I think that attitude is a little short-sighted, and
| perhaps a little bit of "anyone that isn't a pure developer
| is incompetent" elitism.
|
| For one thing, titles are just titles, and they stick
| around for historic reasons. For example, there really
| isn't a great reason for companies to call people DevOps
| Engineer, but it still happens.
|
| I'll take the Solutions Architect role as an example. It's
| basically sales or customer-oriented developer or technical
| resource that works with customers to determine what a
| solution to a problem will look like. "Architect" is mostly
| meaningless in the sense that Solutions Architects don't
| really architect much of anything. Usually, they just come
| up with a plausible path forward and visualize that
| solution to all the stakeholders involved. This includes
| travel to customer sites, something that developers are
| basically never willing or expected to do.
|
| They're the folks who deal with the god damn customers so
| the engineers don't have to. They have people skills,
| they're good at dealing with people. Yeah, I mean,
| considering the staff engineer on my team _does not shower_
| , there is value in that role.
|
| Most of the value in the Solutions Architect is how they're
| able to work with customers to discover their needs on a
| more technical level rather than at a high level. Once the
| plan is determined, the solutions architects don't actually
| build the solution on their own, they're more like an
| interface or leader to the development team that builds the
| solution.
|
| https://www.careerexplorer.com/careers/solution-architect/
|
| I don't want to put words into your mouth, but maybe you're
| skeptical of "architects" because they aren't typically
| expert specialists in one small area. Maybe that's why you
| don't want to be associate with them. Understandable,
| perhaps, but don't be misguided into thinking that
| "architects" aren't skilled professionals who add value to
| the company.
|
| On top of that, I believe they're often paid higher than
| developers ;-)
| alistairSH wrote:
| His logic would apply to tests of all sorts. As long as the
| dev says the feature is done, that's the end. And he's wrong.
| As teams (or companies, or whatever unit) we get to decide
| our definition of "Done". I suggest that definition include
| appropriate testing. And appropriate code review, which
| serves two purposes... catching defects and knowledge
| sharing.
| vinceguidry wrote:
| In his world, testing the software belongs to a different
| team than the implementation. Differently managed,
| differently staffed. Not with engineers, but with testers.
| It's difficult to say the least to move from testing into
| engineering
|
| And you can't just redefine Agile like that. It's the
| businesses' money, culture, and productive means. Not
| yours. If they want teetering software stacks with no
| thought given to maintainability, managed by non-tech-savvy
| staff, then that's what their money will buy.
|
| We enjoy an environment catering to our needs because our
| orgs can afford to throw a lot more resources at better
| managers and better talent. As a result individual
| contributors can contribute not just tickets, but also to
| help improve the way we work. Not possible in heavily top-
| down org structures.
| Pxtl wrote:
| In my experience, splitting the testing team out of
| development materializes refactoring as costly.
|
| "What parts of the system did this impact?"
|
| "Well, this is a core piece of our ORM config, so... the
| entire data layer, so from a functional perspective this
| change impacts every part of the system"
|
| "Then you're not changing it, QA can't rerun all their
| old tests, it would take months, most of those tests
| don't even work anymore".
|
| End result: refactoring never happens. Get it right the
| first time.
| vinceguidry wrote:
| Naturally. In an Agile environment it's more or less
| impossible to get it right the first time without
| seriously forward-thinking architecture, which takes time
| that could be spent pushing harder towards the deadline.
|
| It's a business decision to organize software production
| this way. Refactoring and ease of software maintenance
| are quality of life issues for engineers. Not business
| concerns.
| alistairSH wrote:
| Ugh. I haven't worked with an independent QA team in 15
| years or so; testing is the responsibility of the dev
| team and there are test engineers on each team to
| facilitate that.
|
| Maybe this is a difference of building a product vs
| contracting? We have to keep what we build running for
| years; there is no turnover to a client where can declare
| the system "done".
|
| As for redefining agile, I've done no such thing. The
| agile manifesto calls for working software. It calls for
| collaboration. Avoiding knowledge sharing amongst team
| members and throwing software over the fence to a remote
| test team are both counter to that goal (in my
| experience).
| skeeter2020 wrote:
| >> it breaks Agile
|
| It must be "nice" working with an enterprise architect who
| views agile as a strict, narrowly defined thing.
| vinceguidry wrote:
| He's really sharp and has keen insight into how enterprise
| business works. His advice saves us a lot of time and
| money.
| throwoutway wrote:
| But if he wants you to open tech debt tickets, rather
| than spotting/fixing security issues immediately, this
| will not save the company time or money.
| vinceguidry wrote:
| He doesn't. He was just describing to me the way the
| enterprise usually sees things. Our shop is more modern
| than he's used to working in.
| ivanhoe wrote:
| That's how a managerial bureaucracy approaches the problem of
| deadlines: The second it looks like it's working, mark it
| done and move to the next task, and deal with the bugs later
| - ideally the manager will move to another position by then
| due to their exceptional productivity in meeting the set
| goals, and the bugs will be someone else's problem to
| solve...
| vinceguidry wrote:
| If they get solved at all.
| Pxtl wrote:
| This. Code review is a terrible way to find bugs... At best
| you'll get the more Senior reviewer to spot library uses that
| are known to be workable but problematic (eg poor performance),
| coming from their experience. But straight up logic bugs are
| hard to spot.
|
| The big thing that code review achieves is that it ensures a
| 2nd person understands the code that was written, and therefore
| it is _possible_ for the reader to understand.
|
| So 3 years down the road and you're looking at some
| counterintuitive piece of code, the reader isn't wondering *why
| on earth did he write it like this? Is it working around some
| cryptic edge-case bug in the framework or were they just
| stupid?"
| Jach wrote:
| The case for code review is fundamentally economical: it saves
| the organization money by finding costly issues earlier when
| they are cheaper to fix without imposing a costlier burden for
| the review process itself.
|
| As generic "knowledge transfer", or even increasing the bus
| factor, I would disagree. The best knowledge transfer
| experiences I've had have been dedicated meetings/workgroups
| dedicated to that purpose, and they tend to encompass larger
| scopes than a single commit/pull request. I've also seen the
| difference in devs who contribute to an area having previously
| only been reviewers of code in that area, vs. actually having a
| knowledge transfer session with that area's lead beforehand,
| and in the latter case they are more effective (actually even
| if they had never reviewed code in that area before, as was the
| case with interns or new hires). To me knowledge transfer is
| the nice possible side effect, but not the primary purpose.
|
| I'll leave a third opinion from here
| https://static1.smartbear.co/smartbear/media/pdfs/best-kept-...
| which lists some _direct_ and _indirect_ benefits:
| Few developers and software project managers would argue that
| these are direct benefits of conducting code reviews:
| * Improved code quality * Fewer defects in code
| * Improved communication about code content * Education
| of junior programmers And these indirect
| benefits are byproducts of code review: * Shorter
| development/test cycles * Reduced impact on technical
| support * More customer satisfaction * More
| maintainable code
| sbassi wrote:
| Some companies doesn't have enough people to review the code,
| at least not with the required seniority. This way there is
| also knowledge transfer, but to the company. And with people
| not in your payroll that can provide objective comments since
| they are not afraid of telling the wrong person that their code
| sucks.
| senko wrote:
| So, they find bugs and security vulnerabilities, help spot
| performance problems and keep the code maintainable -- as a
| service.
|
| Still sounds like a pretty valuable service.
| chillingeffect wrote:
| > Say it with me: Code review is a knowledge transfer exercise.
|
| It is, but (say it with me?): Things change.
|
| Code review is not the sole knowledge transfer exercise, nor
| should it be forever. You could say similar things about "make
| format". Now that our formatting is automatic, we can discuss
| code at a higher level. If code reviews were standardized or
| even automated, we could discuss it at an even higher level.
| gwbas1c wrote:
| > Code review is a knowledge transfer exercise
|
| In many places, yes.
|
| But: When you have a solo developer working on a component in a
| language that you aren't familiar with, team full of novices,
| component delivered by a contractor...
| dpweb wrote:
| Not exactly. imo and just a perspective, but code review is one
| method of KT. Sending someone a document can also be a method
| of KT.
|
| Code review for KT is one thing. Code review for finding bugs
| is another. Code review for following style guidelines is yet
| another.
|
| I would like to use a baseline style guideline for JS is anyone
| aware of one that isn't too huge?
| NateEag wrote:
| I'm a fan of using code formatters to define how you lay out
| code in a file.
|
| Prettier is popular for that job:
|
| https://prettier.io/
|
| For detecting functional/idiomatic/behavioral issues, ESLint
| is my go-to:
|
| https://eslint.org/
|
| This shows my bias for automation over human enforcement.
| ivanhoe wrote:
| Finding bugs is of questionable use because it's sort of
| limited to obvious bloopers. One usually needs to be deeply
| involved and familiar with the business logic to be able to
| spot a real bug of the type that will give you serious trouble
| - external services obviously will never have time for such
| commitment.
|
| That said, I think there's still a lot of space where this
| service can be very useful: from improving your code style and
| an affordable way to have security audits, to just a support
| net for developers who might feel overwhelmed by a task
| sometimes, and could use some friendly advices from a seasoned
| dev. It being an external service can also make it less
| stressful and personal, which is great as some devs see code
| reviews as a criticism of their skills and go all defensive
| about it, creating tensions in teams (sounds silly, but I've
| seen a lot of it).
| walkingriver wrote:
| In most of the projects I have reviewed for pullrequest.com,
| the engineering team is also doing its own reviews. We are
| "another set of eyes" as it were. Many of our larger reviews
| can end up becoming lengthy conversations between us and the
| team. There is definitely a lot of knowledge transfer going on.
| What's been truly rewarding is when someone on the team comes
| back to us and asks for advice on the best way to solve a
| particular problem.
| pictur wrote:
| code review is a process that carries a lot of meaning today.
| the work cycle in most workplaces is not qualified to meet this
| meaning.
| SomeHacker44 wrote:
| Maybe for you. For others it can have all or any of those other
| things as its primary purpose. One important thing for me is
| that it prevents or at least mitigates unilateral insider
| attacks by having two people required to change code.
| astrobe_ wrote:
| Having a bus factor>1 is still a _major_ prerequisite for
| doing that. Because if you have a junior developer review the
| changes of a senior developer, there are so many social
| engineering tricks to make the backdoor pass the review that
| it isn 't even funny.
| pelasaco wrote:
| "but they have AI".. probably not. Probably the same linters
| and scanners that we all know + cheap working force reviewing
| code manually.
| oneepic wrote:
| Even without hard stats and evidence, I guarantee most people
| don't think of code review as mostly being about KT. The
| purpose(s) of code review commonly contain the ones you
| described, but it varies from team to team. The most common I'd
| guess is putting a 2nd pair of eyes on your code, checking code
| quality and finding issues.
| mfashby wrote:
| Hmm, what about education? I've learned a bunch through
| thoughtful reviews of my code by other devs.
| loloquwowndueo wrote:
| That's them transferring their knowledge to you :)
| tantalor wrote:
| You're thinking of pair programming. That's different.
| nerdjon wrote:
| Personally I work on a 2 person team, the vast majority of my
| reviews either have no changes or "hey maybe this thing should
| be named something else so its more consistent".
|
| For us the peer review is almost completely for knowledge
| transfer. Sure we know what each other is working on, but we
| still have to maintain each others code if something goes wrong
| and the other is not available.
|
| So I agree with this 100%. Even in bigger organizations where
| the peer review was more formal, I feel like that is still the
| primary goal.
|
| I do fail to see the benefit of this, especially looking at the
| price of it. Outside of maybe scripts? I can't really see how
| much they can actually help without the context of the larger
| application. Without that context can they really provide more
| benefit than AWS CodeGuru (or similar) could offer?
| watwut wrote:
| We do have detailed code reviews. People will complain about
| lines you write and expect a lot of consistency.
|
| Simultaneously, architecture is complete mess, because
| architecture is much harder to see in code review.
| beanjuiceII wrote:
| i thought code review was to assert dominance and to block as
| long as possible for yak shaving reasons; But I do like your
| version of it! Happy holidays~
| nyanpasu64 wrote:
| I noticed the example image: "It looks like this method needs to
| use the read lock because it's accessing the `dataKeys` map. I
| would recommend documenting which methods are and are not meant
| to be safe for concurrent access." To me, this is a problem
| addressed by Rust's &/&mut separation, which can be imitated in
| other languages (eg. in multithreaded code, wrap types in
| Mutex/MutexGuard or RwLock with read guards lending out
| `const T&` and write guards lending out `T&`, if you're in a
| language without const, tough luck). This creates code which
| self-documents concurrency in the type system like Rust, though
| it's less watertight since you can hold onto references for too
| long.
| nkmnz wrote:
| I'm currently the only developer in my startup and I crave for
| high quality feedback, so this service sounds like it's a gift
| sent from heaven - especially for the $699 price tag per month. I
| guess they probably make a mixed calculation: take a small
| company with 10 devs. Two of them are part-time, on any given
| week one of them is on holidays/sick leave, one is very junior
| and doesn't contribute much yet, another one is more concerned
| with project management than with writing code and one has in
| fact transitioned into management but remains on the dev team
| because it's part of their identity to still "get their hands
| dirty" (even though they don't have the time to produce much
| code) - so you might end up with sth like 4-7x more code than I
| write, but 10x the payments. My productivity is not above
| average, but I have very little overhead besides coding.
| Unfortunately, I cannot find any information about a minimum team
| size for the PRO plan. I think I'll give them a try.
| softwaredoug wrote:
| On the one hand, lacking broader context might make this service
| seem silly.
|
| However I think it can help bust groupthink
|
| It's still valuable to get more general feedback and ideas
| explicitly without context to challenge our attachment to current
| practices in existing codebase schools.
|
| It's nice to get a pair of eyes with a completely different
| background give feedback. With context we may have blinders on. A
| fresh perspective might uncover things we haven't thought of and
| bust groupthink
|
| Even though I've been coding in Python for years, I still might
| not have awareness of the best most effective way to do something
| in general. Imagine all the projects started in the last few
| years from people learning Rust for the first time?
|
| It may not make sense for the largest, most complex code bases,
| but I can see it valuable for medium to small projects to get
| outside perspective.
| vemv wrote:
| I'd have some amount of healthy skepticism over obvious concerns
| (most prominently, keeping IP safe) but it also it seems worth a
| shot; it solves a real problem because often for teams code
| reviews are a bottleneck _and_ bit of a battlefield.
| dirtbag__dad wrote:
| I used this service at my previous employer to launch a small
| django/nextjs app and it was mostly fantastic.
|
| Background is that I worked at an VC-backed startup as a dev
| after doing General Assembly's full stack bootcamp. Left that job
| to do ops/growth, and ~2.5 years later volunteered to build the
| web app when my company put the project on their roadmap.
|
| As the only developer at the company, pullrequest was great for:
| - a general gut check on how I was doing - recommendations on how
| to better write js/python. linters help but nice to have a person
| offer feedback on more advanced ways of doing things - sourcing
| documentation on best practices. I found a lot of
| typescript/JavaScript resources to be inconsistent/confusing. Was
| great for someone to find and vet guides for me. - help with
| bugs/errors - basic library choices and architecture decisions
|
| It was also fantastic to have several people reviewing my code at
| once. Gave me a perspective on the type of engineering manager
| I'd want to work for. Some folks focused more on technical
| details but struggled explain their changes in plain English,
| while others seemed to be the other way around.
|
| pullrequest was not great for: - doing things fast. They didn't
| have a real-time messaging feature so I'd get hung up on waiting
| for feedback. They do have a 24(?) hour turnaround, but when
| several folks are commenting on the same PR it gets hard to track
| what changes _really_ matter vs what they are throwing out there
| as a nice to have. - Anything that required context outside of
| the files committed. Though with some extra long PR comments I
| could manage.
|
| I would 100% recommend pullrequest for small teams who are heavy
| on more junior devs or migrating to a new stack. It is an
| inexpensive way to ramp up learning.
|
| Last thing here -- when I worked at the startup my code was
| rarely reviewed, and I'd have to actively ask for it. Not all
| companies follow best practices (even if they have the resources
| to). I would've loved this at my past job, too.
| alexashka wrote:
| What we need is software architecture review, not git diff
| review.
| akhil-ghatiki wrote:
| How does this play with the Non disclosure agreements ?
| akhil-ghatiki wrote:
| ignore this comment. They have a background check and NDA
| process.
| swalsh wrote:
| I'm not sure this is a good idea for enterprise startups building
| closed-sourced software. As a software architect, some things you
| just don't delegate. Code Reiews are some of the most important
| things I do. But (and please don't downvote me for this, I know
| there's an instant reaction to downvote anything blockchain
| related) for DAO's this would be amazing.
|
| A DAO (Decentralized Autonomous Organization) might be running a
| software as a service. But it might not have any full time
| employees. It might not have any employees at all. A lot of
| updates to the software might come from random people (or bots).
| The DAO will need to evaluate and pay for any of those updates
| before it decides to merge the pull request. A code review as a
| service would be an absolutely invaluable tool for a DAO with a
| software product that doesn't have any full time architects to
| perform the service.
| scubbo wrote:
| I didn't downvote you, but I'd love to hear some situations in
| which this hypothetical DAO would be comfortable running code
| that it (where "it" means "an engineer who has a stake in the
| DAO and so is invested in its success") had not reviewed? How
| would it trust the results of this review? I'm trying to remain
| open-minded and curious about blockchain-related use-cases.
| Kocrachon wrote:
| I understand NDAs are a thing, but I still don't think I'm too
| comfortable with the idea of letting a bunch of third-party
| people look at a bunch of my internal information. And I
| understand this is targeting startups a lot more than large
| established companies. But to me that's even more concerning
| because as a startup you're really trying to move fast and hoping
| someone doesn't beat you to the punch, and you're handing a bunch
| of people you don't know how much of your secret internal
| information, and hope that they don't go talking to other people
| about it.
| vincentmarle wrote:
| Most startups are too busy finding product market fit than
| trying to worry about sharing 'secret information' (your actual
| secrets shouldn't be in your repo anyways).
| niros_valtos wrote:
| Saw this link here in the past. Didn't pickup. The reason why I
| don't like it is that random people, regardless their expertise,
| cannot just review PRs and understand the impact of the change on
| the system without being deeply involved in the product.
| rwmj wrote:
| I'm a little more positive about this. A careful code reviewer
| might be able to spot generic security or even logic flaws in
| code, such as inappropriate use of _strcpy_ in a C program or
| code which is unreachable in a way that cannot be detected by
| the compiler. Also there 's a lot of scope for automation, such
| as running Coverity or other free and commercial
| linters/checkers, although also a danger of overwhelming the
| results with false positives and junk.
| niros_valtos wrote:
| Results from these tools typically go to the developers, not
| to the PR reviewers. They see only the result of fixing a
| vulnerability, and if there is a new vulnerability
| introduced, these static code analysis tools should detected
| them before deployment to dev/prod.
| jopsen wrote:
| Nor can arbitrary people weigh the balance between accepting
| technical debt and shipping a feature.
|
| It involves a risk / benefit analysis.
|
| On the other hand, maybe you can build a relationship with
| contractors that focus on reviewing code. And maybe it can give
| insights your team won't have?
| gorgoiler wrote:
| The best code reviews are ones that leverage experience from the
| reviewer to stop logic errors. Your code may well compile and the
| tests you concocted may pass but that doesn't mean your code
| should ship. Without a second pair of experienced eyes looking at
| your crap, how are you to know that:
|
| - _(general experience with modelling)_ what you felt should be a
| single class would be better if it were factored into two
| classes; and
|
| - _(specific experience with this particular codebase)_ the
| second of those classes already exists in the codebase and can be
| found in com.clown.util?
|
| The former can be helpful but it's just noise compared to the
| value of the latter.
|
| How does this service avoid being just a human powered style
| linter?
| gitdiff wrote:
| As a PullRequest reviewer, I think many on this thread are
| missing the forest for the trees.
|
| First, I think many here may be viewing Code Review as a Service
| from their frame of reference: from unicorn start ups, FAANG tech
| companies, prestigious universities, etc. Many of the companies
| that we help aren't coming from this world. They're small
| startups, looking for technical guidance. They're entrepreneurs
| who need to ensure they're not being duped by app developers.
| They're older, less tech-savvy companies that are looking to
| modernize. These companies need help, and they can get help from
| people who have technical expertise. (And by the way, some
| companies aren't sophisticated enough to set up linters or code
| scanners at their stage of development)
|
| In a similar vein, many of the developers we help may not have
| had the same level of education, learning, or coaching as you or
| I may have. For example, I've helped introduce more modern syntax
| options to developers, such as string interpolation and extension
| methods in C#, to Options and Streams in Java, to
| filter/map/reduce functional patterns and optional chaining in
| Javascript. These developers may have never seen high quality
| code or had mentors who insisted on a high bar for code quality.
|
| Even for more sophisticated customers, I've left comments ranging
| from security vulnerabilities (e.g. SQL injection), errors in
| boolean logic, recommendations for improved test coverage,
| recommendations for simplifying code (e.g. creating reusable
| functions), preventing race conditions, and more. I've also
| reviewed candidate assessments to help unburden senior engineers
| so they can focus on writing code.
|
| Sometimes, the proof is in the pudding. There's a market for
| these services and that's why some companies pay for them and why
| I get to review code on demand. I periodically get feedback from
| the teams I help that I've done 'Nice Work', receiving positive
| ratings from the developers I review for. I'm proud that I can
| lend my expertise to make code better.
| loloquwowndueo wrote:
| "LGTM" as a service :)
| hankchinaski wrote:
| Having on-demand engineers look at code, without broader context
| on the project it is in my view the same as something that can be
| automated either or both via static analysis and custom ci/cd
| workflow checks. This can probably makes sense on a project with
| more junior engineers where many basic improvements can be
| supposedly suggested without needing broader context? I would be
| keen on hearing the use case
| gitfan86 wrote:
| A lot of people use ESLint and Prettier. If you look at the
| roadmap/issues for those products you'll see that some feature
| requests cannot be programed, but can be understood without
| knowing the full context of the business and codebase.
|
| At the same time, if you are fixing a critical bug and you use
| enum instead of boolean, who cares, just push the fix, but it
| doesn't hurt to have a gentle reminder show up in your github
| PR that it is an option to use boolean instead.
| altdataseller wrote:
| Vitamin, not painkiller. Just keep that in mind
| tialaramex wrote:
| In a decent language enumerated types are strictly better
| than booleans because they have names. Closed and Open, or
| Paid and Outstanding, or Safe and Dangerous are better than
| true and false unless you really meant true and false.
|
| my_bills(Paid) avoids the step of reading the function
| prototype to find out what my_bills(true) means.
|
| In some languages you can make piecemeal changes to upgrade
| from booleans because the language is happy to silently
| coerce between a two state Boolean and a two state enumerated
| type. This is probably bad news for correctness because it
| means my_bills(Open) might not even raise a warning but it's
| convenient.
| adamnemecek wrote:
| I have reviewed for pullrequest and you'd be surprised how many
| things one can fix. Why do you think that you don't have
| context? You can look at the whole project and see what's up.
|
| And no, you can't write programs to do this.
| tialaramex wrote:
| Variable naming is a really obvious example of "you can't
| write programs" to assess this. Because it needs some general
| intelligence.
|
| Are very short names OK? Generally not, but x is a perfectly
| good name for an x coordinate in a graphing application for
| example.
|
| On the other hand methods named colour (to get the shade) and
| shade (to get the colour) need some serious documentary
| explanation of what the hell you're up to even though in
| themselves they're acceptable names.
|
| Language idioms, and (if this service is expensive enough)
| per-project idioms are not usually or reliably machine
| checkable.
|
| Also beginners make lots of confusing mistakes, a program may
| end up missing the woods (e.g. this should just be an
| iterator, 90% of the code is mechanics that are doing what
| the language's built-in iterators do) for the trees (the
| variable names used for all the counters being tracked are
| bad)
| noduerme wrote:
| It's a rare case indeed where I'd be willing to let a third
| party in on business logic plus the whole source code for
| something I was developing. I love talking shop but if I'm
| really having a problem with a structural issue, it's hard to
| imagine someone outside giving any better advice than people
| inside who understand the lay of the land. Meanwhile, it's a
| pretty much totally unacceptable security risk. So what's the
| upshot to this over an internal code review?
| danuker wrote:
| > via static analysis and custom ci/cd workflow checks
|
| Perhaps that is what this service is trying to create behind
| the scenes: building datasets for a high-signal-to-noise-ratio
| automated reviewer.
| biztos wrote:
| I can think of one real-world use-case, though I have never
| used this product.
|
| It's pretty common in larger companies to have legacy products
| with a couple of very senior (usually overworked) people and a
| larger number of junior people. The juniors very often have
| little experience with the language, much less the frameworks,
| of these legacy systems. So PR's from junior devs are often
| very frustrating for senior devs (wrong language conventions,
| not how AWS is done, paradigm misunderstandings, inaccurate
| comments) -- and the perverse incentives resulting from that
| are pretty obvious. Bad code ships.
|
| If passing "code review as a service" were a requirement before
| the juniors could put up changes for seniors to review, in my
| experience that would be money well spent.
| seneca wrote:
| This post has a number of what look like astroturf advertising
| comments.
| darkstar999 wrote:
| That's the word I was looking for. It really does look like
| that.
| dawnerd wrote:
| I had to flag this after seeing several obvious spam replies
| trying to boost the service. Come on now.
| darkstar999 wrote:
| The many multi-paragraph praises from green accounts did it for
| me.
| Rhodee wrote:
| :wave: Pull Request reviewer here with over 1000 reviews.
|
| I've reviewed code across languages, team size and maturity. A
| good static analysis tool is not code review. The word 'context'
| came up 37 times in this thread (by the time I hit submit) and it
| is worth digging in to how I build and maintain context with
| teams. First up, it is my responsibility to uphold, not define a
| team's best current practices. If you believe a linter and static
| analysis tools are best current practices, you probably do not
| need code review. The code review process is an exercise to
| affirm how well a pull request meets the expectations (context)
| of a team and suggest remediation where appropriate.
|
| I assume 'context' used in the threads to mean "how we do things
| here". As a reviewer, I conduct review understanding the problems
| the team wants its code reviews to optimize for or to avoid. This
| is due to the people creating the platform. It's a solid platform
| for reviewers to get things done. Every line of contributed code
| I review is done with an eye towards ensuring it affirms a team's
| stated objectives. If those objectives somehow falls outside of
| what I know to be true from my experiences as a professional and
| best current practices (BCP), I am empowered to engage the team.
|
| I've had teams request to never provide guidance for coding style
| issues. Others want to know if how they modeled a React component
| tree could be improved. My success on the platform relies on
| always building context. Without that rapport it limits the depth
| of the review. Because code reviews are interactive, they tend to
| get better over time. When things go well, the relationship
| between team and reviewer is seeking a pareto optimum between the
| pull request and the team's best current practices. When needs
| change I adapt my reviews. It is the same treatment if you're a
| one person shop, SME or a listed company.
|
| k thx bye
| deeveloper wrote:
| I'm a reviewer and a firm believer in PullRequest. I do believe
| that some of the concerns expressed here are valid but I think
| they belie a fundamental misunderstanding of "what you're
| getting" from PR. Having an under-experienced contractor review
| your code without context, pointing out things that static
| analysis could/would catch sounds like a terrible proposition,
| but that is NOT what PR provides.
|
| Speaking from personal experience, the reviewers are very
| knowledgable professionals who are not doing this for money as
| the primary motivation. The pay is great but is more of a
| perk/reward for doing something we enjoy, and doing a great job
| at it. The staff at PR does an amazing job of coaching and
| guiding reviewers on how to provide the most value to the client
| and also encouraging us to do our best work. It is never anything
| like "You need to be faster and bill less, do more, etc" it is
| quite the opposite, we are encouraged to "keep the clock going"
| while we research, gain context, etc.
|
| Everything is focused on providing value to the client, and IMHO
| a stellar job is done. Every review comes with detailed
| information on who the client is, the make up of their team
| (seniority, etc), recommendations on what to look for (and what
| NOT to look for) etc. Essentially you are putting your code in
| front of people who have been there, done that for a long time
| and are acutely aware of not only risk but also pain points and
| how to avoid tech debt. We are providing insight, recommendations
| and even code snippets on how to avoid repetition, speed things
| up, or make them easier to maintain.
| privacyonsec wrote:
| Isn't paper peer reviewing broken ? Want to do the same thing
| with software?
| jph wrote:
| Good code reviews are superb for helping teams accelerate into
| new technology areas, frameworks, languages, and integrations.
|
| As a top of mind example, when a team wants to spike on migrating
| from C++ to Go or Rust, including using libraries and porting
| services, then I see very high value in paying for skilled
| contractors to do code reviews-- because what your team is
| gaining on-demand upskilling.
| throwaway984393 wrote:
| I really love this idea. It's like static code analysis but with
| more specific feedback based on context. This could dramatically
| improve code written by junior and middle level engineers. I'd
| use it!
|
| The only stumbling block seems to be that a lot of devs seem to
| be resistant to it. I'm not sure why that is; there's many forms
| of code review and feedback, from shallow to very deep. And I've
| seen many teams that fail to do proper code review. This could be
| an excellent introduction to proper practice for immature teams.
| schnika wrote:
| I wanted to sign up as a reviewer but it seems like one needs a
| linkedin account to do so. Since I don't have a linkedin account
| it seems like there is no other chance?
| Cakez0r wrote:
| Me too. Hopefully someone working for the company sees this and
| has some sway to remove the requirement.
| lambic wrote:
| The only time I can see this being useful is on solo developer
| projects, and solo developers probably can't afford it.
| ralusek wrote:
| A service like this would only be able to find a certain class of
| issue. Basically syntax, but not semantics. There is no
| substitute for deep knowledge of a particular codebase.
| walkingriver wrote:
| A really cool side effect of working with pullrequest.com over
| the past year is that I do feel that I've gotten to know some
| of these projects. Some interactions end up becoming lengthy
| conversations between the reviewers and the engineering teams
| over the course of multiple pull requests. We point out
| potential issues and are still around when those issues are
| addressed. For some projects, the reviewers are treated like
| part of the team.
| napolux wrote:
| LOL. This will become in less than 1 month a "LGTM" feast. 3rd
| world countries developers (organizing themselves in groups to
| pass the intro test from the website) giving green lights to
| random people around the world for peanuts. This is a clever
| business model if you ask me.
|
| Let's be clear for a second. Nobody, not event the legendary 10x
| developers can review properly code without context or everything
| mentioned here: https://news.ycombinator.com/item?id=29624787
|
| If we want our code to be approved by random people doing it only
| for money, this will work for sure, but it's not how it works in
| the real world.
| dhimes wrote:
| Could you clarify what you mean by "LGTM?" Just people saying,
| "looks good to me" and doing crappy reviews, or is there some
| LGTM "thing" out there that everybody will use? Or something
| else?
| MajorBee wrote:
| There is a meme out there in the wild (or at least, I think
| there is a meme) that many reviewers would simply approve PRs
| blindly leaving a LGTM (looks good to me) comment when their
| internal monologue is closer to "...I have no idea what's
| going on here and I'm too afraid to ask at this point". I
| suppose it could also be sheer laziness of not wanting to
| parse many lines of new code, especially if you're in a
| situation where you don't have a 100% tight understanding of
| the codebase (as I have been in many a times).
| ivanche wrote:
| It seems they don't accept any reviewer outside US and Canada,
| let alone 3rd world countries.
|
| https://www.pullrequest.com/faq/
| nathanielarmer wrote:
| PullRequest actually reviews the reviewers (I actually became a
| better reviewer via this).
|
| 'LGTM' is considered a bad practise, and I've been pulled up on
| this several times. Instead, we're trained to take more time,
| go deeper, and be very clear about what the changes do, and how
| well they are written even on relatively trivial changes.
| dennisy wrote:
| Interested to know if anyone has used this service or similar and
| what the quality is like.
| codingdave wrote:
| It is new to me, but raises a concern that they could only
| review for general engineering quality, not whether or not a PR
| is appropriate to a codebase. How would they know if the same
| problem has already been solved elsewhere, that no wheels are
| being re-invented, or that a PR is stepping on the toes of
| something else the team is working on.
|
| Because that is the value I've found in code reviews - not
| generic "is this code elegant?", but "does this code play well
| with what everyone else is doing?"
| Leherenn wrote:
| I guess you could first have an internal architect or similar
| vet the PR before handing the PR to this service for the
| "technical details".
|
| As you said, the big value in reviews are the points you
| mentioned. Correctness/technical quality certainly has value,
| but at $700/dev/month the reviews better be really good.
| Especially since doing it internally has value as well
| (knowledge sharing in particular).
| alkonaut wrote:
| I'm all for this if the person reviewing my code will know the
| context, history and all the details and conversations we had as
| a team. But in order for that to work, I'd probably be taking
| most of this reviewer's time. And obviously in order for them to
| get up to speed with our practices, conventions, architecture,
| code style and whatnot, they'd probably need to start by doing a
| whole lot of development on our project first. At least several
| months. They could probably not do anyone elses code review then.
| So we'd have to pay them... one full time salary to be this
| coder-and-reviewer type person. I wonder what this service should
| be called.
|
| I think I might be onto something here. "Full time developers as
| a service"
| andreyk wrote:
| While I agree in general, some forms of code reviewing require
| less context than others. They say "We review within your tools
| to catch security threats, stop crashes, and fix performance
| issues before they reach production.", and it does seem to me
| that these things are less a matter of style/context than just
| noticing potential issues. Not sure though, I had the exact
| same thoughts as you when first seeing this.
|
| Edit: to be clear, I personally don't see the value here, just
| playing devil's advocate.
| jermaustin1 wrote:
| But almost any good SA can catch all of those issues, a
| person doesn't need to look through the code for that.
| senko wrote:
| This is very close to saying Halting problem is not, in
| fact, a problem: https://brilliant.org/wiki/halting-
| problem/
| jermaustin1 wrote:
| Not at all, it is saying that if the only things this
| service is providing is a human doing SA (since they dont
| have any deep-knowledge of the codebase), then you could
| just use an SA.
|
| Code review in the real world misses the Halting problem,
| the only way you can really see it is if you know the
| codebase well enough to SEE it, and any 3rd party that is
| given a pull request to complete in a timely manner will
| not have time to fully learn your code base or even the
| modules you are submitting.
| reuben364 wrote:
| A human being doesn't solve the halting problem either.
| adgjlsfhk1 wrote:
| This isn't quite true because in most real world
| scenarios, one of the requirements for code to be correct
| is that it provably halts in a fairly limited amount of
| time.
| samatman wrote:
| Ironically, it very seldom is.
|
| It's Rice's Theorem which tends to get me in trouble!
| HPsquared wrote:
| What will actually happen, is people will use these kinds of
| "context-free code review" services, then say a code review
| has been done. Technically correct in a narrow way, but not
| what most people would expect.
| malux85 wrote:
| I suspect that there's only a tiny, tiny fraction of issues
| that are above the complexity that a linter and test
| framework can't identify, but are below the complexity that
| requires deep codebase knowledge, and I would say that the
| overwhelming majority of value of code reviews is inside the
| issues that require deep codebase knowledge.
|
| Maybe this service could be good to point out superficial
| security bugs though, but the infrequency of these coupled
| with the effort of external human engagement I think would be
| a barrier.
|
| Also a few times in my career I've seen a team with no senior
| devs on it, they usually fail due to inexperience, maybe this
| service could help a team like this - who are producing a lot
| of really obvious mistakes ...
| alkonaut wrote:
| Code the falls between between "I need an experienced team
| member to see the issue" and "A few static analysis tools
| would no doubt have seen it" must be vanishingly small.
|
| For specific areas, I can see myself paying for external code
| review. For example some open source library authors sell it
| as a service, so they can review the specific parts of the
| code where the library is used. Rob Menschings FireGiant is
| one such example.
|
| Security reviews (Audits) I can also see a good use for. The
| current practice here _is_ already to have external non-
| domain-experts review the code. So making that simpler or
| more frequent is a net win. The reviews I see little use for
| would be normal feature code, (pull request reviews) which
| need a lot of context and domain knowledge to even begin to
| review.
|
| Not audits, or reviews of specific areas or aspects of the
| code.
| YPCrumble wrote:
| Code should be written to be understood without that context.
| If comments and documentation aren't enough context for the
| code to be understood, it probably isn't written very well.
| sbassi wrote:
| that is impossible in lot of cases
| fourseventy wrote:
| Not very realistic for the real world
| blacklion wrote:
| It is very bold statement. Code models some real-world
| entities (domain). Code (completely with comments and
| documentation) cannot and should not document fully domain.
| It is context, which is needed to understand code. Yes,
| simple CRUD application can have all context encapsulated,
| but what's about some code which models, say, some aspect of
| chemistry? Should this code have enough context which
| includes several post-grad university courses? Or <>
| example from my current $Job: we have a lot of code to build
| some models of derivative stock exchange instruments
| (options, futures, etc). Enough context for this code is,
| like, full shelf of 1000 page books. Good luck to review this
| code for everything but off-by-one errors if you don't work
| in this area for 5+ years.
| coryrc wrote:
| Your example is, IMO, the exact use of this service. If
| you're a chemistry expert, you're probably not a coding
| one. These reviewers will ensure your code is testable and
| likely to do what you hope it does, in a way where your
| fellow experts can read and write their own automated
| proofs (tests).
| mbesto wrote:
| > it probably isn't written very well.
|
| If it's written "very well" then what's the point of a pull
| request code review? /headscratch
| alkonaut wrote:
| I'm talking about code where thee context is donain
| knowdledge and architecture.
|
| Reviewing things like style, performance, security, framework
| best practices etc is pretty easy work and rarely the
| bottleneck in a team in my experience.
|
| Basically: any kind of review where you could comment on a
| single file only, is easy. The important and difficult part
| of review is "Is this the right thing to do at all? Is it
| implemented using the right approach to begin with? Do we
| have other functionality that already does this? Does that
| other functionality use the same approach or is there good
| reason for this being different? Does this follow the
| business logic properly or are there any signs of
| misunderstanding the requirements? Are the requirements
| sensible?"
| spmurrayzzz wrote:
| I agree with your sentiments here. A specific, trivial
| example of this would be a distributed systems architecture
| where mutex locks are being employed (or really any
| distributed structures like queues, pub/sub, etc).
|
| Trying to review a PR for a single service that is
| interacting with locks across a dozen or more other
| services would be fraught with assumptions and missing
| context.
|
| You _could_ make the claim that if documentation is
| perfect, that makes the situation better for the reviewer.
| But this is neither a practical expectation, nor does it
| completely mitigate the problem.
|
| EDIT: forgot to note that this is where bottlenecks in
| review are, in my experience. Not in the first-order review
| of syntax and semantics in the single file being reviewed.
| NateEag wrote:
| I'll argue that, in an ideal world, most of the questions
| you're asking here should be addressed before anyone writes
| code.
|
| A basic spec, with "here's the idea", "here's how I plan to
| prove the concept viable", and a rough plan of "here are
| the software components I'll use" doesn't take long to put
| together, relative to actually coding the thing up.
|
| Having that document and getting it reviewed should answer
| a lot of those questions before code is committed to paper.
| alkonaut wrote:
| > in an ideal world, most of the questions you're asking
| here should be addressed before anyone writes code.
|
| I agree completely. But code review to me is the chance
| to pick up on those situations where the situation wasn't
| ideal. And even if this is just one time of 100, that
| review was still more important than the remaining 100
| "normal" reviews with more mundane feedback.
| charcircuit wrote:
| without context you can't catch subtle mistakes
| tyler_mann wrote:
| Disclaimer, I'm the CTO @ PullRequest.
|
| One thing to note about our service is that we are not trying
| to replace your code review process if it is already working
| well and we strongly agree that knowledge transfer is a very
| important part of code review. ( We actually have code review
| metrics as well that help encourage and reward your internal
| code review process. ) However what we do believe and see on a
| daily basis is degree that we help supplement the process and
| help catch many issues as well as inject a unique perspective.
| Our reviewers are all highly qualified, many are maintainers of
| popular open source projects or work at top tech companies. Our
| reviewers also gain context over time similar to a new senior
| engineer on your team. Reviewers also can share notes with each
| other to build up a corpus of information for your project over
| time.
| gwbas1c wrote:
| For the past year, I've been working for a company where
| there are a lot of extreme novice mistakes in the codebase.
| Even though they reviewed their code, a novice developer
| reviewing another novice developer aren't going to catch
| things that are obvious to a developer with 5+ years
| experience.
|
| IMO: Target shops where they just don't have the expertise
| on-hand to do thorough code reviews. Don't waste time trying
| to convince a team full of experts with deep domain knowledge
| that they need you. (They probably don't.)
|
| We also have a "problem" where there are some components that
| are a different language than what most of us are experts in,
| so they end up being developed by a solo developer. When we
| need to jump in, as we learn the codebase, we also see novice
| mistakes that are very hard to fix, because we just don't
| have many years of experience in that language / platform.
|
| Thus, IMO, on your website, list out situations where shops
| will clearly identify a need for your service. (Team full of
| novices, solo developers, team members quit.) Don't go trying
| to convince "everyone" that they need you.
| thewebcount wrote:
| > Our reviewers are all highly qualified, many are
| maintainers of popular open source projects or work at top
| tech companies.
|
| Isn't that potentially a huge problem? What if your reviewers
| work for my company's competitors? I don't want them seeing
| our code base. Do you have any methods to ensure that doesn't
| happen?
| wanderingmind wrote:
| Are you saying your employees will never leave to work for
| your competitors? I have not worked with this company but
| most of them needs an employee to sign a strong NDA that
| protects IP. That must be sufficient in most cases to
| protect your IP.
| tyler_mann wrote:
| Conflict of interest is something we take seriously and
| have processes in place to ensure this doesn't occur. All
| reviewers aren't able to review or see the reviews from all
| customers, we have tools in place to facilitate the best
| matches for both compliance as well as quality and
| familiarity.
| dnautics wrote:
| I wonder if, instead of just incremental code reviews, there
| would also be a way to get a 3rd party review our huge
| codebase and flag issues (architectural, real legibility --
| not just "CC measures") to be dealt with. Then you could keep
| track of them and burn them down as part of "killing
| technical debt" goals.
| avip wrote:
| I'd pay $$ just to have someone reviewing our Raman bowel
| of a codebase and documenting it.
| all2 wrote:
| > and documenting it
|
| Sounds like you need two or three people dedicated to the
| task. Documentation is a whole profession by itself.
| Well, _good_ documentation.
| mncolinlee wrote:
| Having done more than a few PR reviews and code security
| reviews for their platform as an Android/Kotlin dev, I've found
| that the opposite problem is more common. A lot of
| organizations suffer from insular thinking and their own team
| often comments LGTM even if there's something glaring.
|
| Writing reviews as an outsider, there's something freeing about
| knowing that you can review honestly and professionally and not
| overly worry that a colleague might get offended when you're
| simply trying to help. It's also not a chore anymore. Since the
| review is the job itself, it doesn't feel like a distraction.
| And since you're an outsider, you might know about best
| practices at your organization that the client hasn't been
| exposed to.
|
| When I review code, I read the summary explaining what that org
| likes in a review, but I also make sure to include tools and
| practices that they might not be aware of. In many cases, I can
| see they're lacking automated static analysis like
| ktlint/detekt and point it out. I might notice performance or
| security flaws that their own team wouldn't consider in a
| typical PR.
|
| While I actually enjoyed the style of work where reviewing a PR
| isn't a chore, there are a couple issues I'd like to see
| improved. Their rates could be improved for the best engineers.
| Also, the number of jobs isn't always enough for the number of
| reviewers. Gig work is much nicer if you can actually choose
| the hours and have more flexibility.
| ryanbrunner wrote:
| I definitely get what you're saying here, but I think if I
| was given the choice between an internal reviewer that might
| glaze over some bad practices, or an external reviewer who
| will miss stuff like "oh be careful calling that code,
| there's gotcha X, Y, and Z that you need to think about", I'd
| take the former every time.
| Too wrote:
| It's usually possible to see if a certain piece of code
| allows gotchas or not. Global variables, implicit
| dependencies, undocumented apis or magic strings to give a
| few examples. If you have many such, then getting a
| reviewer calling out those bad practices is even more
| valuable. Even more valuable that they are external,
| because often many such smell-patterns are stuck due to
| some political stalemate or cargo-cult within the team.
|
| Most gotchas are actually carried over from the open source
| framework you build on top of. Such knowledge is
| transferable and can't hurt to get another pair of eyeballs
| to help you with them, assuming you haven't spotted them
| yourself already.
| andy_ppp wrote:
| I think the point is internal and external code reviews are
| two different beasts - no harm in getting an external kicking
| to improve the coding practices. However, with nobody having
| skin in the game to get external code reviews into the
| codebase, they will largely be ignored as "nice but we have
| work to do". How could a product like this (I think I've seen
| a few) solve that human nature problem?
| mncolinlee wrote:
| They're truly different beasts, but each has clear value.
| As but one example, I've seen outsourced apps for financial
| firms where there were literally hundreds of basic security
| flaws. Would you trust the same review process that allowed
| those PRs?
| nick007 wrote:
| I am a PullRequest user/customer. I shared some of your
| concerns when I first heard about them, and was admittedly the
| least on board them trying them vs the others on my team. In
| short, I didn't believe that an outsider could provide adequate
| reviews and that, at best, an outsider would supplement our
| internal review process. I was wrong, and have learned several
| things about code review from this company.
|
| 1. Once ramped up, PullRequest provides consistent reviewers
| for project, even down to fairly granular sections of the
| codebase. i.e. we'll get the same reviewer or sets of reviewers
| who review code for backend architecture changes, a different
| person (but consistent) who reviews security code even within a
| monolithic repo. These reviews feel like a real part of your
| team after a while, but fully focused on providing quality
| review.
|
| 2. It's true that the reviews are not involved in initial
| planning conversations, but in practice this turns out to be
| moot or even a net positive. This is because they are providing
| a removed perspective on the review. I can think back to one
| time very specifically when the team planned to implement a
| feature in a specific way. An engineer went off and did so as
| had been planned by the team. An internal review from any of
| the original teammates who had planned the feature with him
| would have immediately approved the PR since it was exactly to
| the original spec. However, our PullRequest reviewer caught a
| MAJOR VULNERABILITY that the feature's architecture had
| presented. Thus, a fresh set of eyes from an outsider who knows
| our codebase but is not involved in planning/implementation
| discussions was critical. IMO this is one of PullRequest's
| greatest value-adds and why I will always advocate using them
| /other services like them no matter what team (though I don't
| know of any comparable services, though I suspect more will
| arise and 3rd party review becomes table stakes, but that's a
| different discussion).
|
| 3. The people that PullRequest gets to do reviews are top
| notch. In some ways, overkill from what would be required to
| actually develop a feature from soup to nuts, but it gives us
| more confidence to let junior developers run more freely on
| larger features knowing that they will have to pass code review
| from PullRequest.
| kevingibbon wrote:
| My company has used them before. I thought the same before
| using them. However I was surprised the level of talent they
| have. For a super senior dev the context that you need for most
| projects isn't as much as you think.
|
| It was a net positive for us. Sped up our developer process
| given its so hard to hire senior devs right now.
|
| They also have domain experts. So say you are using some tech
| your team isn't as familiar in. Great to get some extra eyes of
| that code to check for security issues, potential computation
| issues etc.
|
| Also they are much more broader than their company name
| suggests. Think of them as developers as a service. In this
| hiring environment it's much needed.
| walkingriver wrote:
| I'm one of those reviewers, and I agree with you about the
| talent. Not speaking about myself, but the people I've gotten
| to know and also the ones I have referred.
|
| Each PR gets two reviewers from pullrequest.com, and we get
| to see each others' comments. One will catch stuff the other
| misses, and we usually support each other. It's most
| fascinating when we disagree on something, which so far has
| always led to a high-quality discussion between the engineers
| and the reviewers.
|
| I've been working with them for most of 2021, and I can
| honestly say I'm impressed with the review comments I have
| seen. It's been nothing but respectful and professional. As a
| plus, it's made me a better code reviewer at my day job.
| gavinray wrote:
| You do this on the side of your dayjob for extra income?
| mncolinlee wrote:
| I have certainly done this. PullRequest bought the
| Moonlight developer gig platform. A lot of full-time
| developers from Moonlight also took on gigs from
| PullRequest as they've been using the platform to sell
| their service. I'd guess most reviewers have other jobs
| or contracts.
| koblas wrote:
| As somebody who's done a bunch of reviews on the platform you
| realize a bunch of things about development that we don't want
| to admit. When I review code for my own team (for my day job),
| there are many times where internal pressures on my time will
| make me prematurely stamp LGTM on one of my co-workers PRs that
| I trust. When I'm doing reviews on PullRequest I remove the
| "trust" marker in my review along with this strange thing
| called "economic compensation" where I'm paid to spend time
| working on it, rather than having somebody ding me for not
| completing some other task that needs to ship this week so I
| spend more time reviewing the details.
|
| I think there are a few levels of code reviews that should be
| in place.
|
| * Automated checks eslint/typescript as examples, you would be
| surprised at how many companies don't have this!
|
| * Best practices -- react hooks, golang interfaces, calling
| conventions...
|
| * Testing -- are the tests structure to test good and bad, are
| they brittle? * Security -- Did you build the right IAM role in
| terraform, did somebody just checkin their GITHUB key (ok, that
| should be automated).
|
| * Performance -- Is that Promise.all going to dispatch 1000
| calls in parallel.
|
| * Architecture and inter dependancies, there is a limit for a
| 3rd party here.
|
| Now if you're the Lead/Architect on a project and at a minimum
| you can outsource the Best practices / Testing portion of the
| pull request to a 3rd party you now can focus on the
| architectural dependancies that are really what you care about.
|
| As an architect you can easily provide reviewer notes to the
| person doing the review that you are interested in focusing on
| specific areas of improvement across your team. Giving you the
| coverage to focus on the high level issues and inter
| dependancies while not focusing on variable names or test
| coverage.
|
| Your time is valuable, you should spend it on character
| development not on the punctuation.
| FullyFunctional wrote:
| That was my initial reaction too, but then I thought "using
| such a service might encourage the code-based to be external-
| reviewer friendly?". That is, instead of all the shared
| history/context that internal reviewers have, make all that as
| explicit as possible, ideally in the code, or at least in good
| code comments. Would also go a long way to avoid the "bus
| factor" (or more commmon: the "sudden-quit factor").
| 6510 wrote:
| No one has to die or quit. You could just hire a new dev who
| doesn't have to wait for someone to explain the relevant
| parts of the godzilla object.
| mytailorisrich wrote:
| This implies that you have no-one in your team to do code reviews
| and that you're fine allowing random third parties access to your
| infrastructure and a peek into your projects and code base...
| Both the premise and the proposed solution sound very odd to me.
| walkingriver wrote:
| Most projects I have reviewed for pullrequest.com have
| reviewers on the engineering team also. In a way, we are
| helping them get better at reviewing their own code. I imagine
| that some teams won't need us after a while. On the other hand,
| in some projects we have become trusted members of their teams.
| z3t4 wrote:
| > Unlimited lines.
|
| I wonder how long it will take them to go though my entire code
| base
| antonpuz wrote:
| I've greatly improved as a developer by reviewing code, this
| improved my project and improved team alignment, that's much more
| valuable than getting inputs from human linter.
| booleandilemma wrote:
| And I'm guessing their reviewers work for free, like on Code
| Review Stack Exchange?
|
| Or are these people working for relative poverty wages overseas?
| senko wrote:
| > And I'm guessing their reviewers work for free, like on Code
| Review Stack Exchange?
|
| No need to guess, it takes 20 seconds to check:
| https://app.pullrequest.com/signups/reviewer
| GrahamCampbell wrote:
| Reviewers are well-compensated, meaning pullrequest.com can
| attract very high quality reviewers.
| walkingriver wrote:
| I am a reviewer on pullrequest.com and I can assure you I do
| not work for free. Many of us are Senior or Lead developers
| with day jobs, who do this as a side gig and to keep our skills
| sharp.
|
| During my code reviews, which tend to revolve around Angular
| and Ionic (that's what I signed up for), I have found lots of
| outdated practices. I can often provide advice on how to make
| their code better, show them features that are deprecated and
| how to address them, and generally make their code better.
|
| As another reviewer has pointed out, we can see the entire code
| base, not just the current diff. We tend to work with the same
| companies repeatedly and become familiar their project. Some of
| the engineering teams treat us as part of their team and ask
| for advice, which is really cool.
|
| Doing code reviews for pullrequest.com has also made me a
| better reviewer in my day job and has changed the way I
| approach my coworkers. It's truly been a win-win.
| joshgrib wrote:
| Can someone give a solid and succinct review of doing this as a
| side-job? What was 1) the hourly pay, 2) language(s) you
| reviewed, and 3) how was the work?
| racl101 wrote:
| Human linter?
| game_the0ry wrote:
| How is this not the same as contracting a freelance dev? You
| might as well contract through wipro / infosys / tata / cognizant
| / hcl.
|
| I am annoyed at how replacing software engineers is somehow
| viewed as a business problem that can be solved as a SaaS
| business or no code tooling.
|
| PR's customers need to hire more developers and pay them well. It
| is expensive and hard, but that is the market business people
| need to accept.
| srhaegrfes wrote:
| Putting aside IP and feasibility concerns, what is the longterm
| roadmap? This is obviously not a VC scalable product business if
| it acts as a broker to (albeit expensive) human consultants.
|
| Are they hoping to get enough training data from the consulting
| practice to bootstrap an AI code review product?
| cptaj wrote:
| I've never seen outside consultants make useful contributions to
| a project. This is even worse.
|
| Thanks, I hate it.
| pelasaco wrote:
| I'm imagining that to make such service profitable, offering
| something like $699 per developer per month, you are not hiring
| reviewers from USA, right?
| Recursing wrote:
| From the FAQ:
|
| > Reviewers earn anywhere between $50 and over $3,000/week.
| Earnings are based largely on the amount of time spent
| reviewing on the platform and the type of code being reviewed.
| PullRequest's payment rates are comparable to those of a
| senior-level engineer based in the US.
|
| > PullRequest issues weekly payments based on review activity
| during the preceding week. The time that you spend reviewing is
| tracked through our platform; reviewers are not required to log
| hours or invoice.
| pelasaco wrote:
| > Reviewers earn anywhere between $50 and over $3,000/week.
|
| They are operating just like a freelancing platform, right?
| How many hours is a "week" for them? 40 hours?
|
| > PullRequest's payment rates are comparable to those of a
| senior-level engineer based in the US.
|
| Like include life and health insurance, paid vacation,
| profit-sharing, a generous signing bonus, and more?
| lambic wrote:
| Why don't you say what you're thinking instead of
| disguising your opinions as questions?
| yjftsjthsd-h wrote:
| Let me try: This looks way too cheap to be able to afford
| good enough reviewers to be worth using; if someone is
| good enough to be able to pick up a new codebase and
| usefully review changes that quickly, they'd get a better
| paying job.
| breakfastduck wrote:
| If you read the rest of this thread you'll see numerous
| reviewers from the site giving their 2 cents. Much
| preferable to just making assumptions.
|
| It's pretty clear that the people offering the service
| are doing it as a way of gaining extra income on the side
| rather than a main employment.
| hunterb123 wrote:
| He's got a point.
|
| $50-3000 / week tells you nothing.
|
| They should tell you the avg $ per hour.
| mgkimsal wrote:
| Quit perpetuating the tying of these basic things to the
| standard employment model. Get 'employers' out of the
| business of managing access to health care for employees.
|
| Let people 'pay' for their own vacation.
|
| You can provide 'profit sharing' to non-employees.
|
| Give me $3k/week and let me manage this myself vs giving me
| $2.5k/week and telling me how awesome my 'health insurance'
| is. I want my access to health care impacted by as few
| third parties as possible - adding in employers to the mix
| is completely the wrong direction.
| scubbo wrote:
| That would be lovely, but pelasco's point is still a good
| one. If PullRequest _only_ pays "rates[...]comparable to
| those of a senior-level engineer", without those extra
| perks (and, to be clear, I agree with you that in an
| ideal world those perks would not related to employment),
| then PR's actual total comp is actually effectively much
| less than for senior-level positions.
|
| So, we can infer that higher-skilled individuals will
| take the more highly-paying positions, and that the folks
| working at PR will be less-skilled or juniors. That's a
| gross over-simplification, of course, but it probably
| bears consideration.
| pelasaco wrote:
| $3k/week is not a metric, if you don't define a week. 40
| hours? 168 hours?
| wodenokoto wrote:
| When I saw the 200/hour pricing I thought "that actually sounds
| reasonable", but how is 699/month for unlimited review going to
| work out?
| cannonpalms wrote:
| This tells me that the pricing model is likely based on a
| previous usage study. They must have found that the average
| user requests less than 2.5hrs of code reviews per month.
| Otherwise, the pricing doesn't make sense to me.
| danuker wrote:
| Well, something has to give. Perhaps the devs work 4h/mo, so it
| is just a slight discount compared to the hourly rate.
| ivanche wrote:
| "All of our employees, contractors, and reviewers are based in
| the US and Canada. "
|
| https://www.pullrequest.com/faq/
| walkingriver wrote:
| For many of us who work for pullrequest.com, it's a side gig.
| Some are full-time, but I have a day job. I like to do 1-2 PRs
| per day, and it pays for my iPhone and MacBook habit.
| adamqureshi wrote:
| Im a 1 MAN SHOP and i hire contractors ( engineers). I am not
| sure if this a good fit for me? My main concern is of course
| cost. Do you provide feedback on what todo with the software
| stack? ( can my guys implement a new plan provided by you?)and
| 2nd question is do you provide pay for service, for example if i
| am interested in a new software architecture and my guys just
| code it up / follow your plan / recommendation. Thx
| speby wrote:
| Gosh, building any tools that target developers as customers is a
| gargantuan task. Kudos to you for attempting something new here
| and giving it a whirl. We developers are some of the harshest
| critics around, no matter how legit or unfounded our criticism
| may be. Keep it up!
| soheil wrote:
| I lot of people are saying CR is a way to transfer knowledge
| within a team. I think they're missing the point. Sure, you can
| transfer knowledge within a PR but don't you think that's a bit
| late? By the time CR is requested, the code has been written, the
| architecture has been thought of and so much time has been wasted
| doing the "wrong" thing. It's a horrible way to learn/train.
| 8organicbits wrote:
| I noticed this requires LinkedIn for signup, that's too bad. I
| deleted my account years ago once it became a major source of
| spam. I think this is the first place I'm seeing it required.
| Strikes me as an odd requirement.
| smalter wrote:
| i've used pullrequest a bunch and had great experiences with the
| product and company.
|
| mostly used it in small companies with 1-2 devs where it helps to
| get another pair of eyes on it. also, helpful as career
| development / learning for a junior dev.
|
| happy to answer any questions.
___________________________________________________________________
(page generated 2021-12-20 23:00 UTC) |