314 comments

[ 3.4 ms ] story [ 224 ms ] thread
I always really enjoy reading both the Raycast and Linear engineering blogs because they’ve really got a great approach to empowering distributed teams, and giving engineers the autonomy to work well.

I can’t necessarily say this approach would work everywhere but it’s nice to see companies critiquing and challenging methodologies.

I'm glad this works better for them, or at least they feel that it does. I'd also bet that they're either a small minority of teams that jell so well that they manage to scale a codebase without it turning into a disgustingly inconsistent mess; or that indeed their codebase qualifies as such or is still too small for the effects to be very visible.

Code reviews are not a tool intended mainly to catch bugs. Types, automated tests and manual tests are going to do the bulk of your bug-catching after all. Code reviews' more relevant purpose is to act as QA for the code itself far more than it is to verify if the code achieves what it sets out to do. This is in service of both maintainability (which impacts your ability to make future changes and staff retention) as well as performance (by introducing the chance for another dev to detect suboptimal approaches).

Once your teams grow, code piles up, and static analysis can't cover all your bases, either your team corroborates the code that you write matches/defines group standards; or each developer's careful design accumulates as "organic growth" carefully duct taped together to barely work.

And just to state the obvious, code reviews are merely a tool to achieve this. Pair programming is another.

> Code reviews are not a tool intended mainly to catch bugs

Well, not to detract from your point (I agree), but what little research has been done in this area suggests that code reviews are actually one of the best ways to catch bugs: https://kevin.burke.dev/kevin/the-best-ways-to-find-bugs-in-...

The source actually says that informal code reviews are very poor way to catch bugs, while formal code reviews are one of the best.

I don't have "Code Complete" at hand to follow up on that, but I strongly suspect that the formal code review was defined in this research as reviewing the entire codebase line-by-line on meetings. As opposed to reviewing just a single change to the system.

Can you/anyone shed some light on this?

(comment deleted)
My reading is that a formal code review is still focused on a single change, but with a more explicit/required process for review. This sentence in the article backs that up:

> Before any code at Google gets checked in, one owner of the code base must review and approve the change (formal code review and design inspection)

That's clearly referring to a specific change, not a review of the whole codebase.

I used to work for a large company. They have homegrown review software with extensive checklists of criteria the code must meet before it can pass review. The software won't let the code progress unless two reviewers go through and explicitly check off every box to certify it meets their standards. I'd call that formal code review.

I work on a smaller team now. We do consistently perform code reviews, but there's nothing actually preventing someone from merging without a review. We also have a list of things to look for when performing a code review, but nothing forces reviewers to look at the document regularly. That process is closer to an informal code review.

I still find bugs regularly when reviewing code. That's both true of other people's PRs as well as my own. I imagine there's a lot more variability with an informal process than a formal one, but IMO informal review is still useful. Code review of course also provides benefits other than bug detection.

I always review my own PR before passing it to someone else. Another commenter recommended that practice, and I heartily endorse it.

IMO code reviews are a tool for mentorship and keeping architecture in line
They can also be used for bullying, micromanaging and other social constructs
something, something, quote about all tools being able to be misused.
> Pull requests don't prevent bugs Pull requests find bugs on every software and hardware team I have ever participated in. I cannot imagine living without this process. PRs increase knowledge and awareness of features. I fully concede that it is discouraging in some circumstances, but those tend to be the exception, not the rule. Most often it’s discouraging around a core set of individuals who bring more dogmatism and policing to PRs, which aren’t entirely welcome. Power to this team, but either they’ve discovered the holy grail, or they will be compensating for this in some other internal process, certainly not user feedback.
Couldn't agree more. I'm fairly certain that I'm a better coder and team member than I used to be because I was part of both ends of many many PRs.
Luckily Raycast work in an unregulated industry. In a lot of regulated industries this would not be an option as 4-eye reviews are a mandatory policy requirement.

I also don't know how smart it is to brag about, seems like just asking for something to go wrong.

I think this would work really well for a small and experienced team, though where I work, we have a lot of developers fresh out of college, and I would be pretty nervous setting them loose without close review of their work.
Especially because a HUGE benefit of code reviews is exposure and knowledge transfer. For us it's a key area where anyone can get insight into the how and why, plus control their participation from requester/reviewer to passive observer. It's actually a pretty poor place to catch bugs introduced by new, junior devs.
The idea is not that everyone has to be omnipotent, it's that you trust people enough to send for review and ask for help when appropriate, instead of always. I.e. when you're new to the code base or language.
I don’t think I’ve ever reviewed code from a new hire that didn’t have multiple problems or style issues that needed to be addressed. That’s also actually true for code from most experienced devs too. And it’s rare for my code to get through code review with no issues found. So bottom line, I just don’t think this would work for most teams and developers.
> I just don’t think this would work for most teams and developers.

Most teams and developers don't do code reviews because the only person that could do code reviews would be the developer himself.

Do you mean to say that most developers work alone, so don’t have anybody to review their code? That’s probably true for hobby projects and the like, but companies rarely have teams of one working on anything.
> Do you mean to say that most developers work alone, so don’t have anybody to review their code?

Yes and no. They do work in teams, but this teams are so small, that everybody has 'their' part of the code, where nobody else even takes a look at, much less changes anything. I'm talking mostly about non-software companies.

Btw. most people that actually do work alone are self-employed. But code reviews don't make a sense if there is no other developer.

New hires definitely fall in the category of where code reviews (and many other forms of knowledge sharing) make sense. That's not what this is about, it's about that they become mostly ritualistic when mandatory, the same way that standups and many meetings are often useless, especially when mandated for no clear purpose.
He mentions "trust" a lot.

Is that why we do code reviews, because we don't trust each other? I find this attitude problematic. We do code reviews because humans make mistakes. Requirements can be misinterpreted. Different work in progress can be in conflict with each other. Reviews are a good way to learn from each other and keep abreast of what work is occurring outside your own bubble. Not doing code reviews because of "trust" kind of misses the point.

I find even just cursory and brief code reviews are beneficial and often pick up on issues. It also creates a more collaborative team and gives me a reason to communicate with devs I might not otherwise communicate with, even if that is just a brief comment on a PR.

Rejected.

If something hit production and caused a major fuck-up because there was no peer review process, then in all the places I've worked at the first action item in the post-mortem would be "we should introduce peer review." Otherwise someone would ask how we could ensure it wouldn't happen again, and no one would be able to say "because we trust them," and leave it at that. It would sound more like "I trust you will never make that mistake again," which sounds more like a threat. You also can't go to your clients and say "sorry, we let our team deploy stuff without reviewing because we trust them... so please continue to deal with our avoidable problems."

Thing is, I've lead my fair share of teams and I trust my team-mates and colleagues implicitly. It makes for a strong team. But we still do code review (peer review) because we want to build software that works well and support each other. We're not in the job to simply deploy code to prod as quickly as possible.

I'd also add that I think any software engineer should try and have the experience of working in a highly regulated field, like healthcare. It's hard to get an appreciation for why these things exist until you realise you're held to a much higher level of accountability because your oopsie moments can have much larger consequences. For me, it's been hard to go back to my old, cavalier attitude after that.

Causing a major fuck-up in production is probably also a sign that you need better release validation and deployment practices.
For many developers, people merge their branches directly to production so the pull request review is where that checking happens.
Ok, but many companies don't use such ridiculous process.
iirc Google does it, it's not ridiculous at all. You need a lot of automated tests and canary deployment to pull it off though.
Not really. Googler merges to HEAD, but systems aren't running directly from head.
It's not as ridiculous as it sounds as long as the testing and verification happens as part of the PR.
Sure, but then you are just begging the question: if you have a better process for release verification you might not be need any per-commit code review at all.
If you want to learn more about this, read up on 'continuous deployment'. I remember when I was first exposed to it it seemed dangerous/scary but with the right culture changes it can work really well; lots of companies do it.
Sure, I mostly meant automated processes. They won't always save you from yourself but doing blue-green, having an extensive test suite, etc, are all things that will help reduce the risk of a bad deployment.
Yeah exactly, code review isn't a good place to catch actual bugs. Humans are terrible at catching bugs consistently... Humans probably introduced those bugs in the first place. It's also an exceedingly poor use of human time, which costs a heck of a lot more than machine time.

We really should be relying on automated systems to catch bugs for the most part, and leave code review for what it's good for: making sure a different human can understand and maintain the code.

In fact, if we manage to catch a bug in a code review that didn't also trigger our automated systems to alert us, that should probably prompt us to look into how we can expand the coverage of that automated system, similar to what we'd do in a postmortem if the bug wasn't caught in code review and reached production, because we can't rely on that happening the next time.

How do you systematically (and proactively) ensure your testing is thorough? With testing you often run into unknown unknown cases.

I’ve always code reviewed/gotten code reviewed on both the implementation and the tests, with completeness as the main quality you’re reviewing test code for. If that’s how we do it, we’re right back at code reviews.

That's definitely an unsolved (unsolvable?) problem. The best we can really do is start with a common sense set of initial tests based on the user observable behaviors we want from the system and then add more tests organically as we learn more about the system's edge cases through incidents, bugs and regressions.

I'm not saying code review can't find any bugs (in practice bugs are found in code review all the time), I'm just saying that if we do find a bug through code review, it means we got lucky, and we shouldn't count on getting lucky again, so better add a test/linter rule for the next time when we might not get so lucky. That's just one more way to grow your automated systems organically.

> code review isn't a good place to catch actual bugs.

Disagree, but it's also a good place to be ensuring that the system is evolving in a way that is reasonable and consistent — or that it is unreasonable and inconsistent for good reasons.

If there's one thing I've learned over many years writing lots and lots of automated tests for everything is that no matter how far you go with your tests, barring formal proofs or equivalent, the tests cannot save you from, at some point, breaking production badly. One small, tiny thing that slipped through your tests and boom - huge fuck up (even small things can easily cause your whole new feature to fail miserably on the big launch).
> to fail miserably on the big launch

What big launch? :) Is useful to feature flag new functionality so that you can release gradually and spot the bugs - often via error monitoring and user feedback - before they affect everyone. Yes, realize it can happen but there are techniques to minimize the chance of it happening.

Exactly. I want my code peer reviewed partly because it makes it clear and formal that while we succeed as a team we also fail as a team. It’s much easier to talk about failures when a failure doesn’t have a single person attached to it.
> I want my code peer reviewed

TFA:

> Engineers [..] request reviews when they think it's necessary.

Problemo solved.

Good engineers will ask for code review. Most engineers won't.
> Good engineers will ask for code review

...when they need it. Actually, really good engineers will ask to pair when they need it. Review is a distant second.

> Review is a distant second.

I agree with you there, but I'm also sure that one reason for this is that many people still see reviews as the task that only happens after everything else.

I'm convinced there's a lot of useful middle ground to be had if reviews aren't just "here's 500 LOC, please review", but maybe more… staged.

Say: Rummage around in the code a bit for yourself (ask questions if you have to), come up with a strategy of solving your problem, and submit that for review. Not in code, but maybe using markdown, preudocode, small diagrams or the like. In person (i.e. via screenshare nowadays). And if the other party doesn't find obvious holes in your strategy, then go implementing it.

I remember an interview with some Linux kernel maintainer that mentioned the same effect -- people submitting a gigantic patch for something that will simply never be merged. And all that would have been necessary to avoid this wasted work was an e-mail asking if the maintainers are at all interested in the change.

Sure. But if you read my previous message this relies on people being comfortable asking. I am but not of my colleagues are. The formal process would let them use the benefit that I can use when I think it’s necessary.
> people being comfortable asking. I am but not [all] of my colleagues are.

Then that's what you need to fix.

Yes. And formal processes are 10x easier pthan magically “adding trust” or “confidence” or “seniority”.
If code reviews aren't an expected part of the development process and there's pressure on delivering, it won't happen.
I don't believe that to be true. I believe the expected outcome is that people will still want code reviews on anything vaguely complex as insurance against fuckups. "Shit, WE missed something" is a nicer place to be than "I was sure I was perfect and I'm actually an idiot".

It does however mean you don't sit around waiting for someone to approve a three line delete PR that you know is safe. The "Rubber Stamp" review is a thing and it does waste time.

Since I am currently working in an environment that resembles GP's premise, I have to say that I find this take to be way too optimistic.

I'd be exactly in the boat you describe (and actually: I've yet to see a situation where someone reviewing my code did not lead to improvements). But: If I want my code reviewed, I have to actually fight for it. Since everybody's workload is too high, even the willing often simply don't have the time.

From higher up, at our place, there's no one that actively opposes code review as a practice, but they don't seem to get that it requires investment (i.e. time), either. That means that if management refuses to change their ways of planning or explicitly enshrine reviews as priority tasks, it simply won't happen except for maybe the gnarliest cases.

And that's from a perspective of the change's author being willing and proactive. I work with individuals that produce very questionable code at times. And I'm not talking style here: Code in 2021 that still is prone to SQL injection at every turn. Methods that are hundreds of lines long with a gigantic cyclomatic complexity that no one (including the author) will ever really understand. Method names like "process" and "process2". And so on.

Needless to say, those programmers will never push for their changes to be reviewed. The rest of the team simply discovers them after they blow up (which they do regularly) and we're debugging.

Now, these people are luckily a tiny minority (which at least makes this somewhat bearable), but I over and over again would wish for someone with more authority to show that they're interested in the matter. Which a policy on code review would do -- if only as a signal. Yes, we want to check each other's code. Yes, we want collaboration. Yes, that's more important than some arbitrary deadline for minor feature X. Yes, we expect our programmers to be professionals.

Another symptom of such an environment also is the fact that everyone is the king of their particular hill. No one every familiarizes themselves with another person's code unless they really have to. By now, I've jumped to insisting that every change on a critical component I'll ever make will be done through pair programming, and so far, at least that seemed to stick. But again -- that only happens if both parties involved actively fight for it instead of everybody understanding that this is just an expected part of work.

This is a fantastic comment, thank you for writing it. I especially appreciate the explanation of how management decisions produce engineering practices.
This is where properly done scrum shines, provided the nature of the work lends itself to greenfield work (cycle time of one iteration). Good scrum is a dysfunction surfacing machine, so if you have a good system of risk management in place, the team can address in a constructive way. For all the scrum haters out there, come up with some system that codifies certainty, stability, and quality before your leadership starts pointing fingers.
I appreciate the context and the different point of view! I live in a bubble of how I perceive my coworkers (and indeed myself), alongside the culture of my employer where "getting it right is more important than getting it out"

Was interesting to hear your experiences and maybe update my expectations of workplaces somewhat

Thanks for your response :)

> [...] alongside the culture of my employer [...]

I think you've hit the nail on the head here. As many others have said in different HN posts, culture is hard to change. And I would also understand the argument that one can also enforce culture changes with policies; my hope up to now simply has always been that engineers could "overrule" some artificial time limits in favor of more collaboration by referencing such a policy.

I guess if you're starting from a context where code reviewing practices "just work", introducing explicit policies also can't improve much, anyway. On that note: If you happen to know a good heuristic to detect such cultures during interviews or the like, I would be extremely interested :)

This sounds similar to the peer review process in publishing. Typically, getting other people to actually agree to voluntarily review your work is indeed a significant hurdle if the requested paper/book/chapter/white paper/code review is lengthy.

There is an easy way to resolve this:

     Request peer review for SMALLER chunks of code.
Git makes this exceptionally easy -- it's certainly far easier than reviewing a large document with Word track changes!
The problem is that small changes are barely worth reviewing. Also a series of small changes can obfuscate the larger context of all those changes.

Each small change on its own might make sense and be ok to a reviewer, but if you step back and look at the series of changes together there might be some issues that could have been noticed.

> If code reviews aren't an expected part of the development process and there's pressure on delivering, it won't happen.

This hits at the heart of why I strongly agree with this post and think PRs and code reviews are ultimately destructive.

Reviews are going to get dropped _regardless_ of whether they are in the process or not. Pressure makes code reviews and quality worse, not better.

More than that, the need to "appear" to review is going to slow things down and can cause an exponential back up. I saw this happen about a mouth ago: 3 day release cycle got bogged down and then took _3 weeks_ to get a single release out.

Process goes out the window when pressure hits. You are then operating in foreign environment at the most critical point and your safety net of useless.

Your safety net when things need to go fast should be highly automated fast build and deploy, coupled with great test coverage, from unit to end to end.

The only exception might be if you work in highly regulated field where you legal required to have a very low Mean Time To Failure. In that case things move slow unless you are very well resources.

Otherwise (ie the majority of products) focus that effort on having a very low Mean Time to Resolve. If you absolutely need some form of quality assurance, Pair. Do continuous PRs and knowledge sharing rather than out of context after the fact reviews.

This post sounds like wisdom, but after looking at it hard, it seems that the point is no more than "peer review processes are popular". Not to say that code review is bad in any way (I do it at my current role), but, this argument for them is not very good.

One downside of code review is reduced velocity. There are teams out there who use code review so effectively that they never ship big fuck-ups to production. They never have to tell clients that they have bad practices. Instead, they struggle to get clients because they pay much more per line of code shipped and therefore don't deliver as good of a value as their competitors.

This where the argument needs to be: whether and how to have code reviews be a net positive.

Ultimately I think it's down to where you want to pay for that decision (for want of a better term), or where to put the bottleneck. I think that putting the bottleneck in production (which would block all work unrelated to a fix if a catastrophic fuckup took place) might as well be a hedge against the possibility of things fucking up so badly in a given timeframe. You could also make code review a bottleneck, but I haven't seen that work well in practice compared to putting it at QA or as part of a release process (unless you combine them in a continuous delivery workflow).

I can see how that equation balances in favour of no code review when it's in the context of a startup that is probably still figuring out how to make money, especially with a subscription based app launcher. As far as prototyping and early stage iterations go, you're probably just seeing what works and reviewing the code isn't so important at that point. There would still be one or two things you'd ask someone to check, e.g. security related stuff.

I think you make a good point though: what makes an effective code review process? I don't think there's a single answer to that because it depends on the circumstances.

I would at least say that it goes better if it's treated as a priority and issues are raised and dealt with promptly, rather than leaving it as a chore you eventually get around to. And you would have to see value in it beyond it being a sanity check, as others in this thread have described (knowledge transfer, for example).

I'd argue that social proof often makes for a good argument. Perhaps not the best argument, but still a good one. "Best practices" still carry weight. Of course you can make an argument that the thing everyone does is wrong, and win. That's happened millions of times in this industry. But if the argument is nearly strictly between "this is what everyone does" vs "this is what I do", the former is going to win.
(comment deleted)
> For me, it's been hard to go back to my old, cavalier attitude after that.

I’ve heard from my workplace’s software team that this makes hiring from certain sectors particularly difficult because they don’t get this. Too used to move fast and break things and MVP.

It's the same in the financial sector, you can't just push code without a review.

However, the review process is far from perfect and can create a false sense of security.

To review a piece of code, that code should ideally be small in scope. For larger pieces it's rather common that the reviewer don't have enough time to do a good job.

If there were better incentives for doing a review, then it would greatly improve the situation.

But i haven't seen that yet.

I've had a lot of trouble getting people to do proper reviews. A minimum to me is that you actually compile and execute the code in some way to check its sane. Better would be the reviewer actually adds to the test suite for the code to prove their expectations of how it works.

In almost all cases it's very hard to get people to look outside the web browser for the diffs. Diffs show you something, but never the whole context.

The other problem I've found is stamping down on style arguments: they have no place in code reviews, and a lot of the time you get a round of "please change this variable to be named something else" - which might be valid, but raises the question of why the reviewer didn't do it, and more often leaves a weird authority gap - I have no power to just reject such a request because I think it's invalid, nor does the business have anyway to resolve the issue. In fact if there's a dispute at all, very rarely is there any process for bringing in a third party to mediate or break the stalemate (which is hilarious in some ways since everyone by now should realize 2-party systems can't achieve consensus).

Code reviews are very, very cargo-culty and I've not seen them ever include a thorough design: people give up on the very near edge cases, and so the whole system falls apart because it's just a hurdle to get through and not a collaborative or constructive process.

Why should it be on the reviewer to compile and execute the code, rather than the author?

Or are you saying that one can actually find more bugs when two people compile and execute the same code rather than just one?

When I review code, I want the author to tell me how they have verified that the code has the desired effect -- but if they do that, I'm going to trust that they did the actual verification and I'm not going to simply retrace their steps. That seems like a waste of time to me.

Not OP here. Code reviews, to me, are opportunities to

1) Catch edge use case / business requirements misunderstandings

2) Mentor new hires/junior engineers on the ways things should be done (e.g. internal culture about some architecture/design).

BUT, I absolutely despise code reviews that nitpick on non documented or 'because I prefer that way' stuff:

1) Task tickets that only have a vague description, have their own 'play detective' about the requirements, but a lot of new ones surface during code review.

2) Requirements are met, but there are internal/personal technical directives that are written nowhere, are not enforced with automated checks and may dramatically change a feature/patch is implemented (I can only think about that guy that worked in a company in which only LEFT JOIN sql statements were allowed).

Fuck that noise.

Compiling and running the code is handled by a build server and automated tests. That's not the point of code reviews.

The main purpose of code reviews is checking the general structure of the code and tests. Is the code well designed? Are error cases considered and tested? Another important purpose of code reviews is knowledge sharing.

This strikes me as weird excuse for code reviews.

To spot quality problems before going to production .. what you need is testing.

Not "unit testing" - which is just another pointless process that does not actually provide the purported benefits.

You need a separate QA team that handles testing - manual and automated.

If you don't catch major errors until the QA team has time to do a full comprehensive test of the product then those errors are probably sitting in the codebase for days or weeks, and additional changes are being piled on top of them which will make it harder to identify which commit was the problem. Do a code review and you'll catch a bunch of stuff before it even hits QA.
Major errors are easy to spot and will likely take QA minutes to find. They're also probably not going to do a full test of the entire system with every change unless you've got a very small product.

One thing I've seen that I like a lot is individual changes creating individual front ends. You test the one thing in that change, and it's done. This tends to cause a lot of problems with CORS, but then what doesn't?

Agreed with you though that good code reviews (whatever that means) obviates most of this.

The actual job is always fast. What takes time is for the job to sit in the queue outside the QA department. The figurative papers moving between desks is always what kills your efficiency, not people doing work slowly.
Correct. Any time you need a completely separate team to handle any aspect of the lifecycle of the product you're introducing delays and miscommunication. Besides, a separate team to do a part of the job scales badly: it needs to grow at least linearly with the number of developers, sometimes superlinearly.

You should absolutely have a small QA team, but their job shouldn't be doing the QA -- it should be helping others do their own QA.

Our tests have caught 10s of thousands of bugs. We couldn't move forward without them. Maybe they just fit our use case more than yours.

In our case we have a public API and several backends. The tests run against the public API. To know that a new backend is working it has to pass all the tests. Getting any new backend working correctly without the tests would be nearly impossible.

I don't see that as mutually exclusive. A QA team can be more effective if you're taking steps beforehand to limit the scope of their work, which means your engineers need to start getting more hands on with that kind of work (code reviews, automated testing, whatever...)

Your quality problems might well come from poor or non-existent architectural decisions and tech-debt, and QA won't pick up on that stuff unless it manifests as a faulty requirement.

The earlier you catch a problem, the easier it is to fix.

We (at least should) also do code reviews in order to make sure everyone understands the code.

On my team, the majority of code review comments are not discussing potential bugs, they're making sure everybody knows how the new thing works, why it was designed that way, implementation tradeoffs, etc. All that discussion is extremely valuable over the long run. For example, it means that nobody has to pay attention to email while they're on vacation in case something goes pear-shaped with a module they implemented.

That said, I 100% agree with the article's concluding paragraph about YMMV. Raycast is operating in an entirely different business domain from the one I'm in. It sounds like the reasons why Raycast likes their way of doing things don't really apply to us, and I don't think the reasons why we like our way of doing things don't really apply to Raycast.

> We (at least should) also do code reviews in order to make sure everyone understands the code.

This is the most common reason I see cited for code reviews, but I'm not entirely sure if I buy it, at least not for a lot of teams.

In most cases you are going to have one, maybe two other people looking at a given PR. The positive way of looking at this is that you've just doubled (in some cases tripled) the number of people who are familiar with the code. In reality though, this is still going to be a very small fraction of most engineering organizations. If you have a small team who wholly owns a small codebase then it could be meaningful, but a lot of the time you're still talking about a rounding error from zero people knowing the code- most people in the organization will still be touching the code in the future without any prior knowledge of it, and will have to start understanding it from zero.

Even if you are dealing with a small enough code base, in a small enough team, that the reviewer is adding a substantial margin of familiarity with the codebase to the team, reviewing the code is only going to give an extremely shallow level of understanding. The reviewer isn't going to have all of the context that the original developer had. They won't know all of the things that weren't done or why, the tradeoffs that were made, requirements, business context, etc. Best case scenario, someone wrote that down in a well-known place (comments in the code near the feature, something relevant in a docs directory, hopefully not as an archived jira issue that will never be looked at again). The reviewer probably has their own work to do anyway, and once they approve the PR they'll flush most of what they had out of their short-term memory anyway.

In a lot of ways, this is the same set of reasons that people aren't very likely to find bugs in a code review either. Someone without a lot of context on the problem isn't likely to find many business logic errors, or missed requirements. Since you were busy working on your feature, you probably don't know who else on what other teams might have been doing something relevant to your work, so you wouldn't know to get a review from people who might have something useful to contribute (and they wouldn't know to proactively review your code). One of the reason senior engineering roles often devolve into telling people to talk to one another is to try to address this kind of situation, but that only scales up to a small fraction of the overall code churn at organizations of any size.

For what it's worth, I ask for PRs, and I review my co-workers code. I make comment when I see something that might be useful, and I graciously accept feedback and try to make sensible decisions about when to make changes and when to let the feedback go. I actively search for PRs that might touch sections of the code I've been working in or am very familiar with to try to optimize the quality of the feedback I can give. I'm not really convinced any of this actually helps deliver better code in the moment, but maybe it does some good as a way to help teach my co-workers about things (or to learn about things they can teach me), and anyway it's such an ingrained part of engineering culture that it doesn't seem worth the political capital you'd have to spend to try to change it, and even if you succeeded it would be a prime target for scapegoating if anything went wrong later. It does slow down the development process I think, but people need down time anyway. If waiting on a code review gets people an hour or two of downtime to check their email or read HN between tasks then maybe it's actually worth it for that. The burnout caused by superfluous process and the occasionally large pile-ons and people demanding poorly thought out changes, gatekeeping your ability to deliver business critical work is essentially a cost of doing business that we seem to have collectively accepted in software.

I should also n...

> do code reviews in order to make sure everyone understands the code.

I like a hybrid "the person who wrote it can't deploy it" model. You get an informal code review and two sets of eyes/brains to the extent that the deploying engineer feels like they understand it enough to shepherd it into prod weighted against how important the component and the scope of the change is.

It self scales from "copy change on the website yolo" to "this involves two new racks of servers and a database migration, I'm going to need to spend a week understanding it to the point I can make a plan."

Ooh, I really like this. Do you have practical experience with this or do you like it in principle?
Yeah, IMO this is like a publisher saying "we don't have editors: we trust our authors". The intended ethos of editors and code review is that mistakes and imperfections are the norm, and you need a second pair of eyes to iron them out.

That said, I do sometimes encounter individuals or cultures that seem to view code review more as a mechanism for catching abnormal/unexpected mistakes than as a normal part of the process of writing code.

Something that I've discovered is that as the volume of text that I write goes up, the errors increase. More experience hasn't resulted in fewer typos. On the contrary, I make far more small mistakes now than I used to.

It's precisely because I've learned to read and write so fast that I "skip over" the simple parts of sentences, making me oddly blind to certain categories of spelling errors!

Especially when I've gone over the same text over and over, I'll have memorised it to the point that I can skip entire sentences.

This is why you need someone else to step in and read the text for the "first time" and not skip anything.

The same applies to programmers and code review.

Books are published once, not through iterations.

The equivalent in book writing would be that you are not allowed to write more than one page at a time, and someone must approve it before you start working on the next page.

Another difference between books and code is that books are read and interpreted by humans (who are very tolerant of grammar bad, in the grand scheme of things) and code is read and interpreted by computers (who will swallow any ambiguity whole and just steam on with their interpretation.)

If books were read by machines rather than humans, and were published incrementally, then it would make sense to ask someone to edit each iteration.

(comment deleted)
> Books are published once, not through iterations.

Incorrect. Bugs (“errata”) are regularly fixed in bugfix versions (“printings”) of books, whereas feature changes are regularly fixed in more major versions (“editions”). And that’s after the equivalent of a “1.0” release.

Books are also regularly iteratively released either to a closed group of reviewers or even the public (e.g., Manning MEAPs, PragProg Beta Books, etc.) prior to the equivalent of a “1.0” release.

> Bugs (“errata”) are regularly fixed in bugfix versions (“printings”) of books,

But those fixes don't fix the already printed books.

> But those fixes don't fix the already printed books.

For actual physical books (as opposed to ebooks, where making the complete new version available to purchasers for errata, but usually not new editions, is common), this is usually true for logistical reasons, though issuing errata sheets (usually online now, though the practice is older but notification and distribution was harder in the past) to keep existing users up-to-date is not uncommon.

> this is like a publisher saying "we don't have editors: we trust our authors"

No it's not.

If an author produces gibberish and nobody checks, the published result is gibberish. And with print books uneditable in a run starting in the thousands.

If a programmer produces gibberish, it won't compile.

It also won't pass the unit test or acceptance tests, never mind QA or the alpha/beta testers.

My experience tells me there's no shortage of compilable gibberish.
My experience tells me there's no shortage of published gibberish. ¯\_(ツ)_/¯
True that compilers, tests, and QAing are nice protections that we get with code but not books (well sorta... books can still be alpha/beta-tested in the sense of having some people read them and share their thoughts). So yeah, not literally identical.

But I think it's still the right analogy. You code review to make sure the code is comprehensible to other humans. You code review to make sure the tests (which are great automated protections) are protecting against the right things. And (most relevant to the analogy) getting those things wrong are not abnormalities that mean you're a bad programmer and we don't trust you, they're things that competent devs can get wrong all the time.

That final, 1 word sentence is one of the major problems of PRs. An engineer might spend several hours really thinking through a problem, talking with colleagues, whiteboarding options and coming up with a workable solution that addresses all the obvious issues and a bunch of non-obvious ones.

Only for a drive-by take-down by someone with none of the context. It's a totally asymmetric investment of time. Even helpful review comments might only take a minute to write but a day to incorporate.

> Only for a drive-by take-down by someone with none of the context.

Then write it down. If the code reviewer can't follow what's going on, what hope is there for the new hire looking at it six months from now?

Because looking through 6 month old prs are what new hires are doing to learn the codebase?
That is one of the things I do to learn new codebases.
Sure. If they are good and have a decent grasp of using version control then will look at the history of a certain piece of code if they don't understand why it is the way it is. I do it often, even when I'm no longer a new hire.
Not necessarily looking through PRs, but presumably they need to work with actual code in your code base that was merged at some point, unless your product is growing so fast that new people just write new code all the time? (Same applies for not-new coworkers that now need to touch that code area anyways)
Running through `git blame` and looking at the commit message, the PR, and the PR comments is a very practical way to learn about a codebase! Beyond some high level code organization stuff that exists in a readme, learning a codebase is really about getting a history lesson of how the product evolved, the company pivoted, and the team re-org'd.

It'll be 6-months if you're lucky. Try figuring out why there's a particular "if" clause, one or two or four years later. Software maintenance, especially when the original author has moved onto another team/organization/company/career, is a frustrating art of almost remembered stories and hoping that you can figure out Chesterton's fence, lest it become Chesterton's barbed wire. The worst is when you fix a small bug with code and introduce an even bigger big in the process.

> drive-by take-down by someone with none of the context.

If this is an issue in your workday, you should bring it up with management or the individual rejecter. If someone has the authority to kill PRs, they should also be required to put in the effort to understand it and/or be available for discussion at an earlier stage of the development process. PRs shouldn't ever be rejected without mutual agreement - neither internally in an organization, or in an open source project.

Is this a common practice? I've never worked under a code review process where the accept / reject decision was being made by "drive-by" reviews from "someone with none of the context". It has always been team members with a lot of context reviewing each others' code.
I've never even worked with a code review process where outright rejecting PRs is a normal part of the process for anything other than external contributions. The normal process is more of that if you think a PR is a bad idea it's up to you to persuade the author of that. You'll certainly sometimes have the author withdraw the PR without being truly convinced, but something like "I don't like this. Rejected." would just be disregarded if you can get other people to approve it.
I think the issue is not that people make drive-by issues, the problem is that people argue about things endlessly which does not bring any value neither to the customers nor the company, that is only for the vanity of the reviewer, and many reviewer get offended when someone does not take blindly their "wisdom" and for retaliation they block code commits endlessly which is enforced by automated tools like Gitlab.
> Only for a drive-by take-down by someone with none of the context

If that's a regular issue that's a culture problem. Starting with "if you've been talking with colleagues about your problem, why is someone with no context reviewing the result?", people not investing time in reviews, people doing "take-downs" instead of asking questions if they don't understand things, hold up merge for non-urgent concerns ...

> Even helpful review comments might only take a minute to write but a day to incorporate.

Either the feedback is worth the investment of the day of time, then no problem, otherwise it's not that important and doesn't need to be done (or depending on what it is can be done later or ...)

> If that's a regular issue that's a culture problem.

Couldn’t one also argue that if code reviews are routinely catching problems mentioned earlier in the thread (misinterpreted requirements, conflicts with other WIP, etc.) then that’s a cultural problem? It just seems odd to assume that the person assigned the task couldn’t possibly be expected to routinely avoid those problems, but that adding rigorous code review could routinely avoid them.

Yup, definitely. Code review discovers both issues stemming from cultural problems and silly bugs and understandability issues. Peer review in general is a very powerful tool for things that should be designed to satisfy customer needs.
> otherwise it's not that important and doesn't need to be done

Except that this decision is often not up to the code author, because the tooling rejects for example committing changes until all discussions are resolved (see Gitlab for example) and some @holes make their quest for any reason not to resolve the discussions that they started until the code author writes the exact code with the exact words in the exact indentation with the exact architecture, etc that those @holes like, which makes the whole code review like a torture and the REAL productivity killer. Not to mention that this does not provide any improvement to the code base either in most cases.

Fair, and I've seen this, but usually it's because the reviewers are treating "I would personally prefer to do this another way" as blocking feedback, when it isn't.

Good reviews can take a light touch, in part by differentiating non-blocking ideas and suggestions from "hey I think this is a bug."

Some of my favorite reviews of all time actually don't change a single line of code, but the questions reviews ask zero in on what's going to confuse the next developer so it can be documented appropriately.

Take this with a grain of salt, but a good code review should be an exploratory process. Most of the non-trivial comments should be questions[0], and the reviewer should be operating under the assumption they'll have to jump on a call or even fix it themselves.

[0] Not just because the reviewer is trying to be nice, but because they don't know what constraints and problems the author discovered in the process of writing the PR. If the reviewer writes "use a map here, instead of scanning an array" without knowing how many items are handled, then they may be making the PR worse by replacing a cheap linear scan over a maximum of 50 items with a bunch of costly yet constant time hashing. Often the solution is an explanatory comment rather than the "obvious" fix.

> Only for a drive-by take-down

Code reviews aren't a "take-down", they're a process of helping each other produce better solutions and better code.

> Even helpful review comments might only take a minute to write but a day to incorporate.

Then like all pieces of work, a decision must be taken whether that day is worth it, no?

That's what YOU think. But in practice they produce sub-par solutions and worse quality in my experience. Code reviews are basically a virtual piss-contest where people argue endlessly, everyone trying to show-off their intellectual superiority. And reviewers (not code authors) often can't handle rejection for some reason.
It sounds like you've worked in some massively toxic teams. That's all I can say.
Usually I answer unspecific 1-sentence criticisms with a question what alternative solution the reviewer would suggest. Sometimes they look into it more deeply and really come up with a better solution. If they don't, at least the discussion is over.
It's worse than that. I don't trust me. You shouldn't either. I need the review.
I think it is trust in the trust and verify sense. Meaning, we trust each other to do our best but let us verify that we are all on the same page and aren't breaking things or doing something harmful.
What is the "trust and verify sense"? I've been told this by managers before but I've honestly never understood it. "Trust" to me means "be willing to take action without further examination of the facts at hand". If I trust your code I wouldn't review it. But I don't trust your code, and I don't trust you to have taken all of the appropriate considerations when you were writing it. What's the difference between "trust but verify" and "don't trust, verify"?

Is the phrase "trust but verify" an attempt to avoid damaging self-esteem? There seems to be some emotional/ego-based attachment to the concept of trust.

I think it's differentiating total lack of trust ("all your PRs suck while mine are perfect, so I have to read yours") from universal fallibility ("your PRs are great, but all code has bugs, so we all review each other's code to catch some of them").
Its a Reagan quote but in this context it means that you trust their intentions, effort etc, but its still worth checking.
The best code I have seen was on projects without code review. And projects with it were more mess - they were surface consistent but overall hard to comprehend.

The deciding factor was ownership and accountability tho - you maintained own code and if you done it crappily, you knew.

The code review is related to assumption that everyone can change everything - meaning all in all inconsistent mess. It is also related to unfortunate assumption that code review is how people learn system. They don't, unless they are original author. The rest of then knows pieces of it only.

I agree that code review is not a great medium to disseminate information about the codebase, but assigning individual ownership and accountability doesn't make the need to share information go away.

Ownership and accountability are workable as long as the same person sticks around long enough to fix all their mistakes. If that person leaves, the code becomes orphaned and it's up to one of their teammates to find out where the skeletons are buried.

No it does not. But it also leads to one-two clear person you know to ask. It also leads to same person explaining same thing multiple times. So as long as he cares just a little, the explanation will improve.

And the person doing explanation actually understand the whole part. That is big one too - you are not explained bits of it by someone who knows only small parts of it. And the system was not changed by third party without the person who explains having at least vague idea it was changed.

> Ownership and accountability are workable as long as the same person sticks around long enough to fix all their mistakes. If that person leaves, the code becomes orphaned and it's up to one of their teammates to find out where the skeletons are buried.

That is actually exactly the same without clear areas. Except everyone is new all the time.

If you have high turnover, this aspect will be bad matter what.

And it is not that bad with responsibility either. Old person does explains things to new person. Taking over, when you are working consistently in same area is not that hard, actually. Some parts you conclude to be mess, but usually not whole of it.

---------

And imo, quality and knowledge heavily depends on other parts of team. Analysis and testing. Both, if work reasonably well are massive resource for knowing how the hell the system is supposed to work.

And once you have reliable source for requirements, that is not developers, then deciphering the code is much easier.

In my mind at least, the issue with relying on on ownership, especially in a smaller team with limited resources, is that the owner isn't just the person who authoritatively understands that subsystem. The owner ends up being assigned _all_ of the work on that subsystem because it's "their responsibility".

As a result, any work that's assigned to someone else will only interact with at the interfaces / boundaries. And of course, that's sort of the intention with modularity / loose coupling - it's not necessary to learn the gory details of the XYZ subsystem's implementation, only its API. Knowing the details is certainly valuable, but there's no baseline impetus to get the owner to explain the details.

Taking over from someone who's ceding responsibility, but staying at the company, I agree that's manageable. But sometimes people get laid off suddenly (or perhaps get hit by a bus, etc) and there's no chance to get the one person who has it all in their head to explain it to you.

You mentioned high turnover, but if anything, a place with high turnover has less information locked up in a single person's head. If Alice who's worked at the company for 25 years and has always owned the code leaves, you're going to have a much harder time getting all of the tribal knowledge out of her head on two weeks notice compared to Bob who only made it 6 months.

To me, the value of code review is that even at its worst, someone other than the author is forced to look at the code. No process can force a reviewer to take an active interest in a particular subsystem, but at least we can make them look at pieces of it and see if it gets them curious enough to ask further questions of the author and better understand the system.

For myself, knowing that someone else will have to understand my code, even through the limited lens of a code review, makes me more diligent about making sure that the code is clean and the pull request has enough context that someone playing code archeologist will be able to make sense of it, even if I'm not walking them through it in real time. I will admit that this is not a universal thing - I've worked with coworkers where no matter what process is in place, they won't do the basic courtesy of reading their own changelists to see that they accidentally committed random junk files from their local machine.

I agree that good documentation around requirements is valuable. I find pull requests / code reviews are a great opportunity to highlight how the code relates to specific requirements, since the focus is narrower.

This is the exact opposite of my experience.
The more problems you have the more policies you add to prevent future problems. I really doubt that a low quality codebase would become higher quality with the addition of code reviews and vice versa.
I prefer a top down where project leads are responsible for code, I.e. they review all code and they are simultaneously responsible for getting things done. It forces balance. I will let juniors make a mess in certain areas and not others. Sometimes you even let bugs in if you know a specific test will fail so people are more careful and don't depend on reviews too much. If you are a bad lead and nitpick every little thing, then you get to explain why your project isn't ready. Honestly getting devs to git add -p and look over their own pr catches much of it.
I require PRs with code review on projects I am an admin on because I don’t trust myself. I sure as hell don’t trust other people!
A formal review step where you accept or reject the code, yes, is always there because of lack of trust.

Informal reviews can have a lot of different shapes, and provide a lot of different benefits. But anything that is a stop-the-process activity is there because you expect quality problems from the earlier steps.

(That said, no good developer trusts oneself. So if you don't have anything on your process that makes you trustworthy, lack of trust is the correct approach.)

I trust you with my life but do I also trust you with my money and my wife?
Yes, catching mistakes (which everyone makes) and bidirectional communication are the points of code reviews, it's not a lack of trust.
Absolutely. I take issue with all 3 of his main points. You covered the first point well, so, I'll take the last 2.

> Pull requests don't prevent bugs. Reviewing code is hard! You can catch obvious mistakes, but you won't have consistent in-depth scrutiny. Many issues reveal themselves only after extensive use, which doesn't happen during code reviews. We rely on fast iterations with user feedback.

So many things I can say about this. "Fast iterations with user feedback" are great, until you introduce a security bug that you find out about because someone exploits it. Catching "obvious" mistakes alone has significant value. Since he acknowledges that code reviews catch some bugs, this criticism seems to be that they don't catch all bugs. To that, I say: show me a practice which does catch all bugs, and I'll show you why it doesn't. Even the most rigorous development process doesn't prevent all bugs. [0] This just doesn't sound like a fair criticism to me.

> Pull requests slow down. Code reviews aren't high priority for engineers. They have to make time to clean up their review queue. In reality, PRs are an afterthought and not what you want to spend your time on as an engineer.

This is largely a culture problem. Code review should be a high priority for engineers. Maybe it's not the highest priority, but, it's fair to expect one could get a decent review on a PR that isn't too large in, say, 1-2 days or less. If you have PRs sitting in review for weeks at a time on a regular basis[1], one of two things is happening: either engineers aren't properly prioritizing code review, or your PRs are too large and/or have too many dependencies.

Which brings me to the second thing you can do, which is make PRs that are as small and simple as possible, but no more. Minimize dependencies to help make your PRs understandable. And, it should be fairly obvious, but the fewer lines of code (including config changes) you have in your PR, the easier it will be to review, so, the faster it will get done.

Code review is also a great opportunity to learn and teach. Every senior+ engineer should be reviewing code frequently, IMO.

Finally, yes, code reviews will slow you down if your basis for comparison is just "engineers merge code when they think it's ready." That's intentional, and good. The cost is more than paid for by better code quality, leading to fewer instances of "here's a PR to fix the issues with my previous PR."

---

[0]: https://news.ycombinator.com/item?id=29801451

[1]: I've only had this happen once or twice in my career so far. In each case, it was because the code surrounding the code I was working on was not stable and kept changing. These were clearly exceptional instances.

I tend to scan most reviews for the team even if the code review itself is not directed to me (we use a round-robin/domain expert routing method). It helps me understand what my teammates are working on and give me a better understanding of our system. I can't imagine anyone interpreting that as a lack of trust. Is looking at our source code inherently distrustful?
If it wasn't about trust you could just read the commit history. Its certainly about trust.
Agreed, so many times reviewers have saved me from myself as well as passed on solutions I didn't know, pointed out functions in our giant codebase I wasn't aware of, taught me new language concepts I wasn't familiar/comfortable with (ie, C++11->14->17->20) and generally helped limit our technical debt.

I'm a fan of code review

For me, code review is collaboration. We're helping each other.

The one thing I'd suggest is, as much as possible, try to phrase reviews like a question: "Do you mean to do X here?", "Would using fooTheFob here work?", "Is this a race condition?". At least it feels better to me.

> Is that why we do code reviews, because we don't trust each other?

I don't see any other reason to require code reviews before a change can be merged.

> humans make mistakes

Then write unit tests, religiously. And pair. Or "... request reviews when they think it's necessary".

In my experience code reviews are not very good at catching mistakes.

> Different work in progress can be in conflict with each other.

Code reviews are the cause of too much work in progress, not the solution. Not the only cause.

> Reviews are a good way to learn from each other

In my experience, they are pretty bad at this. Pairing is vastly superior, or giving talks.

> reason to communicate with devs I might not otherwise communicate with

Then communicate with them. And if you want a review "... request reviews when they think it's necessary".

> Rejected

Exactly. That's not a useful form of interacting with your peers.

> I don't see any other reason to require code reviews before a change can be merged.

In the US, a SOC 2 audit of your org’s change management process is going to be a really bad time without this.

Do I really have to add "...unless required by law/contract"?
Well, doing this _before_ undergoing these certifications would still be a good reason that was omitted from the very absolute claim that was made.
I have an open source project in which I work alone.

I never work directly on master, always on a branch, and when I'm done I create a PR for myself.

Can't remember a single PR that I reviewed where I didn't find some issue or bug.

I guess you can say I don't trust myself...

I completely agree. This article is bad advice, please do not follow it.
I’m curious how they avoid pushing changes that break the build. Maybe they have some other reason that this doesn’t happen or is hard but having a large number of people trying to collaborate on a constantly broken repo is not a recipe for productivity.

I also wonder if there are typically 0 reviews or typically 1 — that is, are people even reading their own changes before they push them.

> I’m curious how they avoid pushing changes that break the build.

By not pushing changes that break the build. In other words: that does not work if you can't test (actually test, not just try to build) your code before pushing it to main.

Is there anyone on the planet, that always run all tests locally even for last second minor change that definitely will not break a build?

Especially funny for distributed around globe teams. When You spent half a day fixing a build issue from the "night" workers. Have eat a lot of this.

> Pull requests don't prevent bugs.

Is this some anti-vax satire?

Of course pull requests (code reviews) reduce bugs. And of course some slip through. It doesn't need to be 100% to be useful.

I haven't seen any research that supports either. I wouldn't be surprised to learn that code review does nothing other than share knowledge, or to learn that it reduces bugs by 50%. I just honestly have no idea, I do code reviews, because we do code reviews.

In fact I have seen alarmingly little research about code management. Code review, standup, agile, etc. does any of it do anything useful? I only came across anecdotal evidence which can be dismissed.

I think pull requests are synonymous with code-reviews here.

I think it is unquestionable that code-reviews catch bugs. Its value as a use of time is another question.

> I think it is unquestionable that code-reviews catch bugs.

Yes, it does catch some, but does it catch more than no code review? There is no point in catching bugs if it also creates bugs to catch.

Sorry, are you saying that it's possible that code reviews cause more bugs than they solve?

That's absurd...

Why would it be absurd? If there is a process to reduce risks, then people take more risks. I have been guilty of submitting code review when I'm not 100% sure it's perfect, just because I know that there is a code review process. So this definitely exists, not sure how common it is though.
Also, the trick to code reviews is to leave in a few low-hanging obvious bike sheds. The reviewers will tell you what color to paint them. Done.

I'm being slightly sarcastic. But not sarcastic to the point that I haven't done just that. Just as the nail that sticks out gets hammered, the code that is too perfect gets increased scrutiny.

It depends on the team’s culture. Where I work most of the code reviews have 0 comments
Perhaps unlikely. Or really surprising. But not absurd.

Imagine some reviewer who rejects all code reviews that don't have some recognizable pattern in them from the gang of four book. Fully complete and working code gets hacked up last minute to accommodate this person who has more seniority than sense.

Or ... maybe someone who always want there to be a single return in every function. Or heck, someone who demands that you always do early return. Either way they demand that some carefully crafted code is swapped over to the equivalent dual. And during that transformation a mistake is make that nobody notices.

I think the point is that the science way to indicate that code reviews work is to actually do the experiment. Instead of just saying, "why that's absurd that a code review could cause more defects."

I mean isn't that how hand washing got introduced into medicine? "Hey everyone, let's try washing our hands!" "Why, the hands of a gentleman are always clean. It's absurd to suggest that we should wash our hands."

I've seen it happen.

I was on a team of competent people working on a dense code base before and after introduction of gatekeeping code reviews. The code base was large so no two people would be working in the same area. Before code reviews:

- Team members working on a section of code would find and fix bugs in it.

- Team members would watch the repository history to monitor for any mistakes.

When gatekeeping reviews were introduced, they were not particularly effective at finding bugs because bugs tended to be subtle and required time working on the particular code in question to identify. But the introduction of gatekeeping code review caused bugs because:

- Once reviewed, code was assumed to be good enough because hey, two people agreed on it.

- Any bugs identified would require code reviews to fix which would be an uphill battle and probably involve project management.

- Nobody's looking that closely at history because who wants to deal with finding problems and pushing through fixes? And hey, it's already reviewed.

- Knowledge of code that is being reviewed becomes stale as you start working on other features. This impacts pre-commit testing as you make changes to mollify the reviewer, and thus lead to a bug.

- Lowering velocity lowers the rate of fixing bugs.

- A bug could be fixed but stuck in review, so it's still in the codebase for other developers to run across. You could argue: well, it's documented in JIRA! But bugs can manifest in different ways and affect multiple system.

If it catches ANY bugs it is objectively better than no PR/code-review from a bug standpoint. Unless you're arguing that pr/code-review creates more bugs than it solves?

Again, I think the question is value. Is a dev's time best used in code-review vs. something else? It's almost certainly the case that time is better spent elsewhere depending on the develop and needs or the organization.

I think the question is the same one as "do bike helmets reduce bike injuries?" I.e. without code reviews, is everyone more careful? I can't think of any proper academic research that answers the question.

In my anecdotal experience, there is at least one class of bugs that code reviews are good at catching that a large expenditure of self-review effort often doesn't catch: security bugs.

> If it catches ANY bugs it is objectively better than no PR/code-review from a bug standpoint.

No, that's false. That's only true if you also assume that people write the same quality code whether there is a code review process or not. Which might or might not be true, no idea.

if anything I would think that person would write same code but without PR would lost the opportunity of having better quality. People are blind to own mistakes. I can't count how many times I would stare at a code not seeing something and other person would spot problem almost immediately.
I don't have a measure of how many bugs it prevents. But I've caught a few in code reviews and people caught a few of mine too. So, it does prevent some.
Yeah -- I LOLed at this one because I've caught at least hundreds, maybe thousands of bugs during review on pull requests.

It's weird and silly to expect prevention with tool that is not designed to prevent. Peer review (and the PR model) exists as quality control tool for many different aspects of someone else's work.

Yeah, in the past month, I've caught out 2 bugs in a code review. One was a performance degradation due to a function being passed down into a react `useMemo` hook dependency array. The other was that the code was fixing a symptom, but not the cure.

I guess it depends on the quality of the reviewers.

In my experience, code reviews promote trust. They make changes a collaboration and a conversation, where reviewers and implementor(s) bring different intuitions and concerns, and help expand understanding of risks and goals. Sure, a lot of that can happen before any code is written, but it’s inherently more abstract.

Code reviews aren’t just about code, and probably shouldn’t be framed that way.

This is a great way to end up in a situation where you have to re-write entire modules whenever you need to update old code... which is kinda where our teams tend to end up anyway so I guess it's not _that_ awful?
This can not be posted too many times.

https://www.youtube.com/watch?v=4XpnKHJAok8

Linus Torvalds talk on Google about how GIT is more a way of working then a piece of software. Everybody commits upwards in a tree of trust. If you do it this way you get automatic code reviews and in any team someone should be responsible for the "product" anyway and highest up in the hierarchy.

It's a great example of how Linus has a massive blind spot for the failings of the git model. He's "sorry" they use Perforce. Git is "better than everything else out there" but he doesn't mention Perforce. And yet, the Perforce model is the one that got Google to be one of the fastest-moving organizations on the planet, with the biggest code base.
(comment deleted)
> the Perforce model

I've used both Git and SVN enough to understand how a VCS might change how an organization creates code, but I've never used Perforce. What is "the Perforce model"?

In Perforce the concepts are different. You have a client, with a view that includes a subset of the repo, and you have changelists which incorporates your related edits. When done with a changelist, you submit it to trunk, usually, because while you can branch a Perforce repo, you mostly don't need to.

Basically all the stuff in the first half of the talk where he whines about stepping on toes, conflicting with other people, politics, special write access groups, are all non-issues that do not sound familiar to Perforce users. If two people are using Perforce they can both work on changes to the same files taken from the main branch (trunk) and submit them separately without conflict or even awareness of the other person. As a bonus this is all dramatically faster in Perforce than in git for large repos.

In this talk Linus demonstrates that he believes git is a state-of-the-art SCM system, without being familiar with the actual state of the art.

Let's say we collaborate on the code below. I'll change line 1, you'll change line 5, we'll merge both changes and then we'll see how Perforce makes the code run successfully "without conflict or even awareness of other person".

    1  x := 0
    2  x++
    3  x++
    4  x++
    5  if x > 7 {
    6    fail_horribly_at_runtime()
    7  }
Explain how you think git is different in this regard.
You're the one that claimed Perforce was better than git and could do this "without conflict or even awareness of the other person", so why don't you explain how git is worse? (I've never used Perforce and am genuinely curious what clever kinds of things it can do around merges, but more detail than "it's state-of-the-art and git is not" would be useful)
No, it is Linus who makes a bunch of claims about how Perforce is worse, in the video.

If two people edit the same line of code based on the same original version, that's a conflict and there's nothing any SCM can do about it. Human must merge. But there's no reason that several developers can't work on different functions or other disjoint areas of the same file, unlike what Linus is claiming in the video.

The video is essentially a long straw-man argument where Linus takes shitty part of CVS and SVN, which were terrible, and applies them to Perforce, which it's clear he has never used.

To answer your question, neither Git nor Perforce will cause a merge conflict. You’d need a SCM that isn’t line-based for that.

With large teams, you need code review (which this bug can elide), great test coverage (the tests will likely have a merge conflict) and very importantly, a commit-by-commit build health indicator after merging. You can also do this in batches and bisect to find poisonous commits should a batch be broken - flakes notwithstanding.

> In this talk Linus demonstrates that he believes git is a state-of-the-art SCM system, without being familiar with the actual state of the art.

I don't think that's very fair Perforce is mostly just a shitty subset of git's features that some people pretend is sufficient. You can use git almost the same as Perforce and have almost as bad of an experience as using Perforce directly.

1. Let's separate the idea of code review from the GitHub Pull Request feature. They are often coupled, but they don't need to be. You could easily have a policy and a workflow that requires reviews, but doesn't care whether they happen before or after a merge. I'm pretty sure this is how things work at Etsy, and I know there to be a diversity of code review practices more broadly in high-performing engineering organizations.

2. Of course code reviews don't catch all bugs. This is the same argument that is frequently used to reject static type systems and memory safety. The purpose of code review is to ensure that more bugs are caught, the kinds of bugs that can be caught through code review. It also helps ensure that a high level of code quality is maintained, and that at least two people understand how a change works, which is good for team cohesion and resilience.

He basically described the classic subversion workflow using git. I feel like people rediscover subpar approaches using technologies which intended to evolve those approaches into a better workflow
I've heard it referred to as "trunk-based development". I think it's not so much subpar as contextual. If there's a team of 2 developers pushing as hard as possible to get something out, I completely agree with OP that code reviews are a waste of time (unless requested). If there's a team of 100 developers, I can't imagine the insanity of pushing directly to the shared branch without review.

Somewhere between those the context is such that the benefits of code reviews outweighs the costs. Do you think otherwise?

Absolutely not. This is a recipe for disaster and a terrible example to set for any upcoming engineers that haven’t had much industry experience yet.

Code reviews help me be more confident in my own work. Even if 90% of the time it’s fine, there’s always that 10% where a second pair of eyes catches a mistake or offers a suggestion that makes the code even better.

> offers a suggestion that makes the code even better

plus, software engineering is a team sport, so if something works but is opaque, that's a fine thing to point out in a review, otherwise one runs the risk of being The "Foo Component" Owner™ and that's usually no fun and is for sure not healthy for any reasonably sized org

I am also a monster fan of the "Apply Suggestion" button in GitLab, which allows me to meet the reviewer half-way by even doing the legwork for the suggested change. If they agree, push button and we're back on track. It's suboptimal for any process that requires/encourages signed commits, but damn handy otherwise

Meh. If 90% of the time it's a mindless ritual there is probably a better way to achieve the same goal. Code reviews are a huge time sink, especially for unimportant style- and naming nits.

Code review as mentoring can be great, if it's a directed 1:1 effort. Usually, it is not.

Hours long discussion about whether to call it "thing" or "thingId". True story.
As well as a time sink, code review can be detrimental if it's used as a KPI gaming mechanism or for passive aggressive one-upmanship.
>Code reviews are a huge time sink, especially for unimportant style- and naming nits.

This isn't a problem with code reviews, this is a problem with your team's processes that code review has highlighted. These problems will show up in others ways if not during code reviews since clearly there's strong disagreement on coding styles and conventions. So go and fix or implement the style guides, linters and so on.

This is like saying that the way to fix fevers is to get rid of thermometers.

> So go and fix or implement the style guides

How do you make this converge across dev without endless debate or resentment ?

> linters and so on.

What happens when a rule has to change ? update the entire codebase impacting everyone with conflicts ? tolerate divergence existing code ?

Talking about thermometers, are you actually tracking fevers, or merely minor bad breath ?

I think there's a lot of grey area for what "style" is, but e.g. formatting and what not is pretty easy and not-contentious in my experience. Most people want consistency more than they want their way.

How I did it as part of a ~35 person dev team was adopt one of the popular ones from the community (e.g. Google's) - treat it as a benevolent dictator. Apply it to the entire code base in one giant shot (disrupting any pull requests that were in flight but fixing them proactively), then enforce it with tooling. Leave the door open to anyone who disagrees with the defaults. It's on them to propose the change with rationale then put it to a quick majority vote with a subset of the team. I think 2 things have actually changed since the very beginning (line length from 80 -> 120 and something else that I don't remember right now).

When something changes, making a sweeping change is part of accepting it - if it's too risky/disruptive then it has to be very valuable to do.

There's a large number of things in any decently complicated system that a "style guide" can't cover and that there are dozens of potential ways to solve.
> since clearly there's strong disagreement on coding styles and conventions

The same people who are perfectly happy to do a back and forth, adding 3 days of code review time, would never go in and refractor existing code to "fix" stylistic issues. It's a cognitive bias that we think everything is up for philosophical debate in reviews.

Btw, I'm one of those people who drove stylistic debates in an organized fashion. I learnt that you simply can't police everything, even if it we pretend that it's a good idea to do so. It's much better to share ideas and have them spread through voluntary mechanisms, such as dedicated tech talks, mentoring, postmortems and other deliberate knowledge sharing.

That said, automated enforcement of pure formatting can work well if there's standard tooling, e.g. gofmt and rustfmt. But contrary to reviews, that's a way to suppress debate during day to day business.

Btw, my experiences are from a mega corp, not claiming it's true for every org.

> there’s always that 10% where a second pair of eyes catches a mistake or offers a suggestion that makes the code even better.

Testing is pretty awesome process to find bugs.

QA departments are expensive. Execs in their infinite wisdom opted to dump that task on developers who earn 3x as much as QA people. Synergies!
> who earn 3x as much as QA people

And never learned how to properly test software... Or earn 10x as much and consider it not a priority.

As a dev, I'd much rather do my own testing then have to explain extremely basic shit to the average SDET I've worked with. No, Chuck, the 404 for the favicon on page A did not cause the padding to be off on page B.
You've had some bad experiences with QA people. The people I've worked with are methodical and work like the terminator to find bugs. One guy was so good he could even write queries against QA to show me where the data was inserting / updating improperly. A good QA person is worth their weight in gold.

In my experience, it's hard to have a dev as a good tester. I'm ok at it but not as good as a pro QA person. Good devs look for shortcuts and efficiencies, which is the opposite mentality for good testing.

Code reviews make sure the other party at least thinks a bit about the code they write. "Someone is going to look at this, let's at least tidy it up or not be cobbled together underperforming spaghetti". Sure, you can trust your co-workers but do you trust them enough that they have that thought every day of the year?
Agreed. It's amazing how code magically gets better when you know someone else will be reading it.
Good luck getting any sort of security certification without reviews. This works fine for small companies, but once you start getting customers at a certain scale it will be a dealbreaker. Run without reviews as long as you can, it feels great!
This is an interesting read and I'm glad to see that the closing paragraphs emphasize the need for each team to evaluate their own needs. That said, for me it all comes down to the definition of "best product" in this statement:

"They all want to build the best product in the shortest time possible"

From my perspective, the "product" is not limited to what customers see or the code itself. It's the set of outcomes from the code being written and executed. For example... Do other engineers understand the code? Can they support it efficiently? Does it fail gracefully? What is the impact of failures? Are failures automatically detected? Does it lead to security breaches? Did the code author learn things they could do better that they didn't know to ask about? Did other engineers learn from reading the code or asking questions? Are customer requirements satisfied? How much is customers' trust impacted by failures, bugs, and feature that don't meet requirements? How big is your cloud provider bill? Etc...

If the priority is quickly delivering and iterating on features that satisfy customers' needs AND engineers will be supporting their own code, then the "No Code Review by Default" approach has its merits. In fact, I have personally found this approach to work well on constrained, isolated pilot projects where the priority is to unblock key scenarios for a limited set of customers and/or learn about customer needs before building a the "real" solution.

For anything else, I would suggest following the author's own advice: "ask yourself if the circumstances of others apply to you".

Sounds nice but perhaps a best fit if you are 1) a small team 2) people know and trust each other already 3) people are all and equally comfortable asking for reviews (disturbing others, essentially). 4) the code has a priority on feature progress rather than stability and correctness.

The situation can be very different in any of those aspects and mandatory review can still be a good idea. Are you building code that runs on surgery equipment together with 4 people you just met? I think you should probably have a formal review process. Or are you iterating towards an MVP for some webapp with a few people you consider friends? Lgtm just deploy to prod.

Early in my career I was like "cool, I can just merge this to master". Now after working in several projects and in several small and large teams, I am like "Gez, I can't merge this straight to master. I need a second pair of eyes on this"
Most small tech companies probably operate in this manner. We do, too. The practice is that devs do want a second pair of eyes on the code since they want other people to detect flaws in their assumptions or choices before there is pain.

If I'm doing something trivial, I might just push to `master`. For instance, I don't run tests on a `README.md` change.

Interesting to encode it explicitly, though. Strong culture choice, for sure. And probably well suited to their product since they are probably all dogfooding `master` and pushing only periodic tags off it.

When my code has been code reviewed I've had bugs found, improvements made, and edge cases brought up. I genuinely believe my code is better for having been reviewed, and I work harder on the quality of my code because it is going to get reviewed.

Now, code reviews aren't a panacea, there's an awful lot of bike-shedding going on (in particular whenever interfaces are reviewed) but they're a net positive in my view. It isn't about trust, it is about creating a quality product, along with postmortems (an under-utilized philosophy) and automated tooling (inc. testing, validators, etc).

Apart from the other reasons for code reviews already mentioned, there's this: an inexperienced developer (in a particular area) may not _know_ when a code review is appropriate. A change that looks innocent may have wider consequences than expected. Code reviews spread knowledge, and knowledge is the true output of software engineering.
The only thing I agree with from this "Make your own rules". I feel like it is click bait otherwise. Reading this I would apply for a job here personally.
There is a Russian proverb I heard used very early on in my career that has really stuck with me over the years:

"Trust, but verify"

I think a lot of other commenters nailed the trust equation in more verbose terms. I would add that in some industries or for certain customers, a 2+ person code review rule is mandatory for compliance, regardless of any perceptions around how mundane the changeset might be.

I wish this talked about the engineering time lost when a bad PR makes it to production. Fixing those may eliminate any time gains from skipping code review. Also, this violates security compliance standards (e.g. SOC2).