15
xonya
5y

rant & question

Last year I had to collaborate to a project written by an old man; let's call him Bob. Bob started working in the punch cards era, he worked as a sysadmin for ages and now he is being "recycled" as a web developer. He will retire in 2 years.

The boss (that is not a programmer) loves Bob and trusts him on everything he says.

Here my problems with Bob and his code:
- he refuses learning git (or any other kind of version control system);
- he knows only procedural PHP (not OO);
- he mixes the presentation layer with business logic;
- he writes layout using tables;
- he uses deprecated HTML tags;
- he uses a random indentation;
- most of the code is vulnerable to SQL injection;
- and, of course, there are no tests.
- Ah, yes, he develops directly on the server, through a SSH connection, using vi without syntax highlighting.

In the beginning I tried to be nice, pointing out just the vulnerabilities and insisting on using git, but he ignored all my suggestions.

So, since I would have managed the production server, I decided to cheat: I completely rewrote the whole application, keeping the same UI, and I said the boss that I created a little fork in order to adapt the code to our infrastructure. He doesn't imagine that the 95% of the code is completely different from the original.

Now it's time to do some changes and another colleague is helping. She noticed what I did and said that I've been disrespectful in throwing away the old man clusterfuck, because in any case the code was working. Moreover he will retire in 2 years and I shouldn't force him to learn new things [tbh, he missed at least last 15 years of web development].

What would you have done in my place?

Comments
  • 8
    I would just have warned the boss that Bob has no clue, that his code is full of vulnerabilities, and that the company will get hacked.

    If boss doesn't believe that and decides to fuck up, so be it. But I would have made sure that there's a paper trail.
  • 8
    @Fast-Nop this would make sense, but unfortunately the boss thinks Bob is more skilled than me because he is 30 years older.
  • 6
    @xonya yeah, and the best way to convince him of the opposite is a massive fuckup that you can shrug off with "told you so".
  • 5
    Regardless of Bob's faults or the problems he is presenting, you are putting yourself at risk with the lack of transparency. Your description of Bob's boss makes me think it's likely that you'd be accused of "sabotaging", "going behind the back", etc. Partly because that's true. (Also, your post smacks of ageism. Why should I mention that? Because I'm getting thin skinned about it and there's nobody around to yell "get off my lawn!" at.)
  • 5
    As an older dev, I've been the recipient of your type of treatment. In my case, though I had something to contribute that they weren't considering (a WordPress site for Marketing so we could focus on another main app and Marketing wouldn't have to wait to get on our schedule). The young devs were purists and turned up their noses at my suggestion even though it was perfectly reasonable as a generally-accepted business practice. They got HR involved and I was fired under false pretenses and without an opportunity to present my case adequately.

    Bob does need to brush up, yes. Retirement in 2 years is no excuse. But undermining his code was not the answer. Teaching him and talking to his boss when he refused was the better play.
  • 1
    I would have respected my elders
  • 1
    @xonya I believe what you did is correct. Even if you have paper trail that Bob knew nothing and his code was vulnerable, in case the company gets hacked, boss would first look to fire the lower-level employees (less senior, like you).
  • 1
    @xonya Sounds bad. Probably defacing your test system or popping a shell on it won't help you here.

    Do you have possibility of other auditing the code?

    Otherwise I'd deploy their shit, only take care your warning was in written form (in case site is really pwned)
  • 1
    Retry with the boss by giving more concrete flaws and attack simulations.

    If it doesn't work ask to be transferred, because your skillset is going to be wasted, and do you want to waste time on something that later on you'll have to rewrite anyway?

    If there's online exposure to what you're developing, SQL injections are not acceptable.
  • 0
    Thanks for your feedbacks guys, I really appreciate them (also the negative ones)!

    @stackodev I'm sorry they fired you. I don't want my company fires Bob, he doesn't deserve that. I simply would like to have a maintainable codebase, without so bad vulnerabilities, since I'll probably be still involved in this project after he will retire.

    @kgbemployee I'm not against vi, but I saw he working and, without syntax hilighting and code validation (things that you can set up in vi too), he wastes a lot of time on missing semicolons or not closed brackets. I don't think this is so cool.

    @phorkyas Currently only 3 persons worked on this code and the other one agrees that it is a mess but thinks that I shouldn't have rewritten it.
Add Comment