Tim BrayMar 9

Seems painfully obvious that, whatever you think about #genai code, anyone using it is heading for a code-review logjam. Assuming that the org requires code review; if yours doesn’t, nothing I can say will help you. Anyhow, Rishi Baldawa writes smart stuff about the problem and possible ways forward, in ˚The Reviewer Isn't the Bottleneck”: https://rishi.baldawa.com/posts/review-isnt-the-bottleneck/

[My prediction: A lot of orgs will *not* do smart things about this and will suffer disastrous consequences in the near future.]

The Reviewer Isn't the Bottleneck

AI tools are flooding PR queues and the instinct everywhere is to call review the bottleneck. I think that’s the wrong question. The reviewer is the last sync point before production changes. The goal shouldn’t be how to remove the gate, but how to make it cheaper to operate.

Rishi Baldawa
Show threadChris PetrilliMar 9

@timbray I am hearing peers in other companies being pushed by executives to abandon code review completely.

If you’re wondering how deep the psychosis goes.

Show threadTim Lavoie

@petrillic @timbray That's certainly my concern. I'm in security, so mostly watching this from the sidelines, as I listen to execs essentially pushing for "vibe-code to prod".

It can only become worse when making changes to programs, since it won't be incremental change. Instead, it'll be, "no, do the thing, but not like that." The old fluff will be thrown away, and so the new version will be whatever it is, possibly completely different from last time. How do you review that?

Mar 9 at 9:20pmWeb
Show threadViolet MadderMar 10

@tim_lavoie @petrillic @timbray

And in this flood of unintelligible slop, all eagerly serving under the commandment "move fast and break things", somebody starts dropping malicious code and big chunks of it just roll right over the broken safety net.

Show threadThird spruce tree on the leftMar 11

@violetmadder

@tim_lavoie @petrillic @timbray

There just IS NO compelling argument to exec's who want more code shipped yesterday. code review or not ai or not.. it doesn't matter.

We p2p code review. Mandatory. Automated testing, all of the best practices.
We found bug in testing akin to "car stalls when turning left and windshield wiper is on." We told to _ship it anyways_. Maybe its only for UPS drivers.

So if having an ai.code.review means having a code.review _at all_.... ¯\_(ツ)_/¯

Show threadTim LavoieMar 11
@tezoatlipoca @violetmadder @petrillic @timbray
Well, you found an issue, and raised it! The approach we tend to take is that the security team identifies risks, and it's up to the business to decide from there. At least our process puts an executive sign-off in the way with risk assessments. I suspect though that the vibe-code stuff is going to change too fast for us to test it at scale, and it won't get those resulting risk assessments.