Proposal: HAZARD tag

Ian Bruene ianbruene at gmail.com
Wed Jan 17 18:16:24 UTC 2018 

First proposal: For cases where a piece of code needs to embed brittle 
assumptions, in addition to the comment block explaining said 
assumptions it should also include a HAZARD tag with a one line summary 
(not unlike a git summary line). While this standard will only help to 
catch instances of bitrot that are marked, it will make finding those 
cases far easier.

Example:

# HAZARD: assumes this and that
# more detailed explanation
# follows here
[code doing brittle stuff]

Second proposal: As part of the pre-release checklist someone should 
grep the entire codebase for the HAZARD tag and post the list of 
instances to the devlist. Each one must be either signed off on by a 
core developer, or checked for bitrot. Signing off would be the norm, 
used in cases where it is known that the ground has not changed since 
last release and at least one core developer knows/remembers enough 
about the territory that is doesn't need a manual check.

Disadvantages:
     * extra work for release
     * more "paperwork", even if only in the form of devlist traffic

Advantages:
     * known sites with high bitrot potential are regularly checked
     * exerts pressure to fix those sites
     * NTPsec has robustness requirements that make the tradeoff of 
having another checklist more valuable than it would otherwise be

Potential failure mode: everyone signs off out of habit / not caring 
without ever checking anything.

I judge "not caring" a very low probability with this team. Anyone who 
is onboarded is also likely to be assimilated into / have a preexisting 
sense of duty on such matters.

Habit is a more likely problem, but I believe that the proper solution 
is the focus on the "exerts pressure to fix those sites" part of the 
proposal. This type of bad habit is most likely to form where there are 
many items to check.

-- 
/"In the end; what separates a Man, from a Slave? Money? Power? No. A 
Man Chooses, a Slave Obeys."/ -- Andrew Ryan

/"Utopia cannot precede the Utopian. It will exist the moment we are fit 
to occupy it."/ -- Sophia Lamb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180117/8c81c953/attachment.html>

More information about the devel mailing list