This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
Ditto! There's such great learning here -- for engineers, for managers trying to figure out when and how to get involved or explaining to engineers how they approach it, and for people mentoring engineers or managers. I really appreciate the time you put into these threads and the clarity of your explanations!
@[email protected] @[email protected] -
@polotek Every time in my career I’ve seen anything close to this level of garbage, engineers have been screaming to fix it and management couldn’t be bother to develop the fake-ass data-driven justification to do it.
-
@galactus and what happens after that? Engineers shrug and ship it. Users get harmed. Engineers blame managers. Managers lay all of the engineers off. Engineers get upset and talk about how important and indispensable they are. Nobody actually does what's necessary to help users.
Sound about right?
-
@polotek yes
-
@galactus cool. You keep doing what you're doing then. Works as designed.
-
@donaldball why are the engineers screaming instead of just fixing it?
-
@hungryjoe @polotek if I can try to synthesize both of your points? it seems to me that if junior engineers are acculturated to knee jerk tell managers to fuck off and leave them in peace, they will not have any chance or motivation to develop the skill of actually communicating and negotiating with managers. Furthermore, managers will have no particular reason to bother communicating with them.
-
@zwol @hungryjoe I don't think this is an accurate synthesis.
-
@hungryjoe I think your expanded thoughts come across just fine. If I was stating my own position more clearly, I would say that manager and engineer are both roles that have a job to do. They work best when both sides understand the other's job and they collaborate to achieve the best results.
There is an unbalanced power dynamic that has to be navigated there. But I think many engineers use this as an excuse to be unaccountable for their decisions.
-
galvao|[email protected]replied to Ben Ramsey last edited by
However, demanding this kind of ethical decision from programmers is really unfair.
What would help, IMO, is a culture of whistleblowing, with protections and assurances in place so programmers suffer no consequences if "forced" to make an unethical decision. And yes, this would involve either Government or another kind of entity with superior authority over the company, which is in itself a whole different can of worms.
-
@polotek Lack of authority and fear of being punished for doing work other than that assigned.
-
@polotek as one of the idiots who brought this up, maybe it is a professional failing to empathize with the shitty developers who didn't have think of the consequences of unredacted creds in logs, it's telling on ourselves that we think we could (or have!) make the same mistake, and are (what?) looking for preemptive forgiveness and avoidance of accountability/punishment? Maybe an undercurrent of why the idea of software engineering licences is threatening to some
-
-
@polotek if youre gonna quote-post you should consider tagging the user so they know...
anyway, i was specifically talking about meta engineers, who (like i said) obviously knew about hashing passwords
at some point you gotta figure out who you think is at fault. one minute you dont trust engineers to make choices for themselves, the next they shouldnt have to ask permission to hash passwords, the next you cant assume they even know about it
-
@donaldball @galactus fixing security issues is job threatening. Yeah I understand. Feel free to keep shipping vulnerabilities. Sorry I mentioned it.
-
@donaldball @galactus by the way, I'm actually asking people to mitigate risk to users. And also to do the job they get paid for. But again, you do whatever you think is best. Don't let me stop you.
-
@donaldball you should find a better job Donald. Good luck.
-
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek It doesn't have to be management downplaying such a thing. In the past when I've raised things like SQL injection vulns, it's been other devs that have been downplaying it.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu that's not possible. Devs are perfect actors. Only managers are responsible when bad things happen.