Re: Code review/audit and/or version control

[Kevin Steves <kevin () atomicgears com>]

On Mon, Jul 22, 2002 at 11:46:24AM -0400, Joseph S D Yao wrote:
> If you are doing version control, you have access to previous versions
> and the commentary from when it was checked in.  Just as with in-line
> comments, the version control comments have to be MEANINGFUL, not just
> "made changes."!!!

I generally prefer short commit messages, that briefly communicate
what was changed and why.  I can read the diff for the details of
what--the message should provide hints as to whether you want to drill
down into the diff.  Also, there should generally be one
change/fix/etc. per commit.  Different project has varying levels of
rigor in this area.

> ISTM that the old versions can be used to good advantage in two ways:
>
> (1) New version introduces greater and unforeseen (of course!) security
> problem; quickly get out old version with known but lesser security
> problem, and also re-install whatever shim we had used to work around
> the security problem until the "fixed" version was installed.
>
> (2) Determine that the neat new way to do something has already been
> tried, and read the MEANINGFUL version control comments to determine
> why it was removed from service!

Yes, having revision history is invaluable.

-- 
Kevin Steves     | kevin () atomicgears com
Atomic Gears LLC | http://www.atomicgears.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards