153

The following dialogue is inspired by a career of similar conversations.

--

Manager: What's the status?

Dev: It works, but I just found a security hole. That contractor did not sanitize all the different kinds of user input and someone approved the PR with "LGTM." A customer can run malicious code and get us in real trouble. I'm patching this now.

Manager: How long with that take?

Dev: If done right, 4-5 days. If done fast, I can squeeze 3.

Manager: Let's not boil the ocean. We need to ship by tomorrow so we can't spend too much time on something that we can fix later.

Dev: Surprising deadline aside, I made a Jira workflow state called "Later" for when you close the ticket after this conversation.

Manager: We need to talk about how your negativity impacts the team.

Dev: Sorry. I just don't want to knowingly release a critical vuln.

Manager: We can introduce a procedural change and have ops vet the documents. We already have a screen where they can approve what uploads get to the customer. If we let a bad egg through, then we'll right-size according to customer feedback.

Dev: Lawsuits are feedback?

Manager:

Manager: I mean

Dev: *Googles "brain parasite symptoms"*

Manager: Hey. The kind of thing you are worried about probably won't happen soon, and we'll be able to handle things in the short term.

Dev: Because it's better that our staff have unprotected sex with the Internet on our corporate network than use a few more days to move everyone along worry-free?

Manager: It's a calculated risk. We're Agile after all, right?

Dev: When it's an excuse.

Comments
  • 10
    Nice first rant! I'm impressed.
  • 4
    Nice. Welcome to DR.
  • 2
    Can you talk to manager one level upper and explain this to them?
  • 6
    I dont get this "your negativismn is bad for us" isnt a huge portion of worst case evaluation super important? Like, if i assume nothing bad will happen i could save a lot of time and just let my user make queries directly in the database, cause i know, nothing bad will ever happen.
  • 1
    Good old clash of different mindsets
  • 1
    This is the kind of attitude of managers which gets us unsafe and broken software everywhere. 😩 Morons!
  • 2
    Just make sure that you won't be made responsible for the mistakes of your manager when it escalates.
  • 3
    @Lensflare exactly paper trail is a must. Otherwise dev will be thrown under the bus
  • 0
    Guess who will be legaly responsible for the damages and negligence when you actually get hacked...
    Your manager can take the risk, but you must protect yourself by documenting everything.
  • 1
    Don't do verbal agreements. Document it in email and CC higher officials for proper documentation.
  • 1
    I cant stress this enough PAPER TRAIL!!!
    Print that converaation and file it in a folder at home.
    If you really care about the product and don't just want to cover your own ass, write a mail, about what could happen as an example (including estimated loss with your level of information, as well as your proposition for a fix) and have it signed by the manager. That will make him think twice.
  • 2
    @Wack it seems his manager is trying to make a trap so @zyrolasting will be at fault if something goes wrong hehe
  • 1
    @Devnergy exactly. If shit hit the fan, the manager will be able to claim he wasn't made propperly aware by the dev team and that he thought if it was something major, the dev team would have insisted, as he lacks their in depth understanding...
Add Comment