Ask HN: How do you handle code ownership?
Interested in finding out how you guys approach code ownership in your respective workplaces. This could mean for sources, feature areas and bug routing. What do you like and dislike about your current process?
67 comments
[ 2.4 ms ] story [ 140 ms ] threadBugs by default get routed to the person who wrote the code (presuming that we can tell which code the bug is in). If that person finds out the bug is somewhere else, the bug gets transferred to a new owner.
What if that person leaves the company? Can that information get old.
That was the root of some very toxic teams I've seen. Because it built a lack of shared ownership as a team, it inspired competition instead of cooperation, and people would just ignore problems because "it wasn't my code".
Admittedly, that is a problem with the leadership that took the team to that place, but I'd be interested in hearing counter-examples of how to avoid such pitfalls.
- Ownership is only the point person of knowlage/direction/insights
- Anyone can work on the code "owned" by someone else
- Idealy the writer fixes their own bugs and does their own refactoring (for speed and learning reasons) but that should NEVER obstruct delivery of a feature or value add to the company.
The moment a team starts pointing fingers for issues or starts building moats around "their" code then you have a toxic environment.
I have just the opposite problem. No one else wants to add features to code that I wrote because they don’t want to ramp up.
This isn’t difficult to understand code - some of it is less than a 30 line Python AWS Lambda function.
The process is documented in the repo in the readme.
I'm not saying yours is like that, but I've definitely seen that happen.
- end to end integration tests - if they are APIs, they for the most part have a Postman collections in the repo. If they are event based lambdas, they have the standard
Code that calls the handler with dummy data.- build pipeline and manual resource creation. It’s so easy to export a SAM template from the console it’s criminal to not at least do that. But, yeah we have a CodePipeline to do that.
I have been on the other side though of inheriting a lambda and wondering how the hell did they go through the write->debug->fix cycle? Did they actually load it to AWS first? I spent a day creating a “test harmess”. Not real AAA unit tests, just something I could run locally to debug.
this is such a key factor to preventing the toxic attitudes that can develop, imo.
At the end of the day, everyone who touches the code base is "responsible" for keeping the machine running.
Any team that favors blaming/shaming for bad code should be avoided at all costs. The mindset should be "what is wrong? How do we fix it? How do we prevent it in the future?" At no point should "who did this?" enter the equation, unless they are harboring some secret fix that no one else knows about (and this just points to other deficiencies in the process).
2. Code is owned by teams of people and not individuals.
The definition of "folks" is "people in general"
I'm not sure what point you are trying to make here.
I'm not saying there's no reason to reconsider language choices. Frankly, I agree overall that this phrase and its derivatives should probably be slowly retired, if only to avoid the occasional confusion. My point is only that even in colloquial usage there are patterns involving "guys" that are clearly gender-neutral at this point and have been for decades.
Yeah, that's fair. I think we can agree that the meaning is ambiguous.
TBH I just figure that "folks" is a change that might, in some cases, make some people feel more welcome, at basically no expense in time, effort or clarity. Seems like a decent cost/benefit to me. But I don't get up in arms about it - this thread notwithstanding. ;)
And now I'm tired of talking about this. :)
In many contexts I think it should be clear enough whether an inclusive or gender-specific meaning is intended, but some people may prefer to avoid any risk of misunderstanding by choosing a different word.
And unfortunately, as seems all to common these days, some may choose to see offence where none was intended.
> Thought Experiment #1: Imagine a room full of men and women. Someone stands at the front and says, “I want all the guys to stand up.” What happens next?
I don't know where I personally land on this debate, but the points are cogent.
You guys - gender neutral. The guys - gender specific.
I think a lot of people who are annoyed by the term guys don't like the fact that there is a word that has both gender neutral and gender specific definitions being used as gender neutral.
Dudes is another one.
Spanish has an explanation for this (which i think is what people are frustrated by).
Ellos => them male Ellas => them female Ellos => a group of 10 women with one man in the bunch
Still gender-neutral?
https://www.etymonline.com/word/Man
>Old English used wer and wif to distinguish the sexes, but wer began to disappear late 13c. and was replaced by man.
It would be pretty awesome if we'd kept to the wer/wif tradition. It'd make modern conversations a ton easier. Also, I'm fully onboard with calling males wermen or werman.
Final note, a female werewolf would be a wifwolf.
Sorry to totally geek out but I just wanted to point out the fluidity of definitions.
Imagine a group of cishet men saying : "I'm off to the strip club to see a bunch of guys taking their clothes off and dancing in a provocative manner."
Does that seem reasonable? If not, then the term "guys" is gendered.
On top of that, most of the women I know feel that "guys" is a term that excludes them. That's enough for me to avoid using it.
I also enjoy the slight irony of advocating grammatical accuracy in a thread that uses the word "owns" to indicate "is responsible for maintainance, failure and modification", or what the top poster defined it as, or some other meaning that's definably not ownership ;-)
My rule is that once you submit the code for review and it passes and gets merged everybody owns the code. Everybody.
The person who is modifying the code has the responsibility to identify the best reviewers (by looking at history, chatting with others, etc) to ensure high quality and understanding.
But once you're talking about a service, or code that is only used by one service, then you need to have an owner (or a team of owners). If you still think there's no owner, then ask yourself who is going to get woken up at 2AM when it breaks, and that's your owner.
IME even in small organizations (<20 engineers) it's very easy to end up not knowing enough to debug everything, and your on-caller basically becomes a smart router. ie, they can debug enough to figure out that it's a DB problem, and then wake up the DB guy. This becomes really annoying for the on-caller, so there's an impetus to have more focused paging groups, and now you're back to having owners for services.
what you can have is an interface to another service/team that represents the boundary of your service. When shit breaks and you isolate the breakage to this dependency you wake them up (preferably you detect and you raise this automatically). bonus point if you thought about this as you were building your stuff and your service can work in degraded mode while the thing is solved.
owners for services if okay as long as owner == team. if owner == individual you're doomed + people owning critical things will hate you and their job.
This is pretty much the exact opposite of your assertion at the beginning of this thread, to wit:
>once you submit the code for review and it passes and gets merged everybody owns the code. Everybody.
Anyway, this last comment I agree with entirely, and is pretty much what I've been saying all along. So I'm glad we can agree.
>you need to know how the thing that you're responsible for works Agree with this as well, but a critical point is that "the thing you're responsible for" may be subset of "everything" in your organization. Maybe even a relatively tiny subset, in a large organization.
my point was that you should not have individual code ownership and individual gatekeepers. I can see how that might be misinterpreted.
As unrealistic as it sound, yes, if you're oncall you need to be able to understand the problem and fix it/mitigate it at 3am. This opens another can of worms around what is worth of a 3am page and how development, deployment and monitoring should be done but if you wake me up I should be empowered to do something about it
Nothing is more frustrating than a single person pushing code that the other devs don't agree on and do have to fix/maintain actually.
Generally each of these entities is grouped into some bucket for an application / "system" / business area, and then that bucket has a few owners assigned, and also other non-ownership roles assigned (developer role can check in code to those repos, prod support role can log into the servers owned by the bucket, etc).
It's generally heavily integrated with an LDAP directory, HR system to handle joiners and leavers, and also change management (Developers can only ssh to a production host during the change window of a change for that bucket).
These home-grown apps are generally old and clunky (written for IE6, with piecemeal improvements since then, that kind of thing), but hard to replace because they're integrated with so many other applications.
I tend to think that this would be a good opportunity for some (startup) to do a great job of this as an off-the-shelf product, with good integrations with Linux + Windows authentication, an API, nice web app, etc - it would be very easy to do better than the in-house systems filling this niche.
These teams are from all over the world, and many of us have never worked closely before this project began.
When we first started the project, we decided to split the UI into feature projects which are packaged and referenced in the common project. Each team owns their own feature projects; however, everyone is welcome to contribute PRs to any of the projects.
Some of our projects are shared and maintained by many teams, but we always have one team that owns each project.
Helps to document things, so you at least have something to throw at people when they come asking.
About 67% of our code is some form of Ruby - some of it Rails, some of it custom Ruby code running in Kubernetes+Docker processing data.
The other 33% of our code is Rust - and not just service side code but Rust that has to run on multiple platforms with varying deep operating systems knowledge.
My team generally owns Features and Releases related to the Rust code because two of the three members are OS programmers by experience. That said, we don't exclusively work on the Rust code and sometimes wander into the Ruby code base.
Similarly, other teams occasionally need to update the Rust code to generate some new data - a lot of that is pretty basic stuff and doesn't require deep OS knowledge. So they'll make changes there.
Since our stack is so heterogenous, it's hard to have everyone work on everything. However, from what I know of most companies outside Apple/MSFT/Google/etc, they're gonna fall in the "we own web services" where the only real bifurcation will be "frontend code" and then "middle-to-backend code". Maybe throw in some apps as well.
=========
Now all of that said - the reason we went to teams owning "features" and "releases" was to push folks to not be possessive of code. Stuff changes and it changes quickly, so there's not much use trying to isolate folks. Document gratuitously, test heavily, and refactor often.
How do you respond to emergencies when your people don't own projects or code bases? Who gets woken up at midnight? The person responsible for the latest release? Wouldn't that discourage people from deploying new releases?
Basically SRE takes the page - if they can't troubleshoot it or restore it to normal service, then the on call engineer gets called.
In our case, we're still small enough that one on call engineer has to take the load regardless of feature/product.
The exception is the aforementioned Rust code base which calls myself or the other engineer. But this is because it's not running on our infra - it's running on customer boxes so that's a different support story.
Re:
> How do you respond to emergencies when your people don't own projects or code bases? Who gets woken up at midnight? The person responsible for the latest release? Wouldn't that discourage people from deploying new releases?
Culturally, our engineering team doesn't really tolerate "not deploying". That's not to say that you're being measured by number of deploys like some sort of perverse "IBM Lines of Code" metric - but you're expected to be deploying code as it's ready via PR + Tests.
It's not a perfect system but we've tried pretty hard during hiring to select folks that are well aligned with how we think about this. No one gets to own their space and no one is immune from rolling their sleeves up and figuring it out. If that isn't someone's thing, we try to find that out during the interview because it doesn't fly internally with the team.
I've been wondering if you could add a comment to the top of files to indicate ownership (//owners:someTeam, someGuy). Then your CI could parse the modified files and require a review from a team and/or send a notification to said user.
https://github.blog/2017-07-06-introducing-code-owners/
hum.. person left.
recode my way around that code so the new feature works and I'm not tagged as the owner by future git blames.
/sarcasm. I think.
https://www.softwareyoga.com/individual-code-ownership https://www.softwareyoga.com/collective-code-ownership
That's what we mean when we say "ownership".
Your question implies a single person owning a specific feature or system component ad infinitum. That's generally a bad idea. Yes, some people will naturally have more experience/expertise in some areas. Yes, those people should be called to review PRs/releases in those areas. But your long-term goal should be to increase your bus factor[1] and spread knowledge. It is a win-win: it improves velocity and reduces risk for your org, while also giving your engineers a chance to learn and grow professionally.
Long-term silos of ownership shouldn't be your goal.
[1] https://en.wikipedia.org/wiki/Bus_factor
The team I'm on has three developers (I'm one of them) and for our team, we just kind of fell into ownership of different aspects. I deal with the programs that are customer facing (CDMA and SIP interfaces); the second developer deals with the business logic (a separate program) and the third deals with SMPP (also customer facing, but not as critical as the CDMA and SIP interfaces). And it's not like we (my team) are fiercely protecting our turf (each of our programs)---I have worked on both the business logic and SMPP service, but generally, each of us just gravitated to what we find enjoyable.
I do not know how the other teams divide their work.
Bug reporting is pretty each to route as each portion of our service is clearly delineated (with the possible exception of the Android core and UI teams).
As far as features go, it depends upon the feature. Yes, there are some features that affect all the teams (such as number to name translation---have to provision that, deal with obtaining the info during call processing and having the phone receive and display such information) and some that only affect one department (like supporting SIP---largely my team).
[1] I work in the call processing side of things.
In my workplace, we use the above model for almost everything. And there is one old code base where we use Github code ownership feature to force everyone to ask for a code review from owners. But even there, it doesn’t happen very often that people from different domain need to touch a code of another domain.
And that is the second point as well. Dividing responsibilities base on domains instead of components/modules between teams make it easier as most of the time they are not going to touch a code outside their own domain.