[Cryptography] code review (was: RSA is dead.)
Jeremy Stanley
fungi at yuggoth.org
Thu Dec 26 16:44:20 EST 2013
On 2013-12-25 13:22:16 -0500 (-0500), Jerry Leichter wrote:
> On Dec 24, 2013, at 8:58 PM, James A. Donald wrote:
> [...]
> > I assume one hour per hundred lines of code review, so ninety
> > minutes is within my range of normal variation, as is half an
> > hour.
>
> Interesting. That's roughly in the range a professional proof
> reader would estimate for properly reviewing a page of technical
> text.
>
> For any real software, it's also fantastically expensive, even if
> you work at minimum wage - and I'm sure you're not even close.
> :-) Way out of the range that open source projects could fund.
[...]
The OpenStack project provides a counterexample here: a coalition of
more than a hundred different (but related) individual software
projects whose community has evolved a "code review culture" such
that no changes are merged without review by multiple developers
experienced in those projects.
https://wiki.openstack.org/wiki/Gerrit_Workflow
And yes, it's expensive (a majority of contributors and reviewers
are employed full-time by various member companies who donate labor
and other resources for those projects). Similar code review
patterns are commonplace for WikiMedia and Google free software
projects as well, and are rapidly being adopted by other large
communities who want a workflow similar to that of the Linux kernel
but with the benefit of a more open and decentralized approval
process.
--
{ PGP( 48F9961143495829 ); FINGER( fungi at cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi at irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui at katarsis.mudpy.org:6669 ); }
More information about the cryptography
mailing list