Saturday, May 22, 2010

Trust Issues with Source Code

Double face palm

Digging around in some code circa 6 months ago I discovered a method that I had scrounged from the web and, in my apparent haste at the time, had not build any unit tests.  It was less than 20 lines of code doing some simple array manipulation – and it was from a pretty decent site, so it seemed pretty safe.  It’s the weekend so I thought, hey, time to plug that gap!  I started with some simple cases and soon realized that one of the execution paths was just … well, plain wrong.

Luckily, that behavior wasn’t being used anywhere in my project (yet!), but still, it was essentially a land mine waiting for someone to trip it.  My first reaction was “shame on them for posting that without testing it!”  Of course, this code didn’t end up in my project because of the author.  It was I who blindly accepted and given it the “it’s from the internet!”-stamp-of-approval.

Lessons learned today:itsfromtheinternet

  • Trust is earned, not given.
  • Source code becomes trusted by-way-of thorough unit and functional testing.
  • Do not trust untested code from the internet.
  • Do not trust untested code from your own keyboard even more so – at least on the internet it’s likely that someone else has reviewed it.

I’ve written the author a friendly note with a simple fix – it’s better to diffuse that bomb than let it get somebody else!