Top
Best
New

Posted by ColinWright 6 hours ago

The primary purpose of code review is to find code that will be hard to maintain(mathstodon.xyz)
250 points | 130 comments
thayne 2 hours ago|
Code review doesn't have a single purpose. Finding code that is hard to maintain is one of those, and and an important one, but certainly not the only one, and I'm not sure it is even the most important one. Other purposes include:

- a safety check to ensure that if a developer (or AI) goes rogue, it is more difficult to merge malicious code

- a second perspective from someone who isn't as close to the problem and might see a better way to do things, or problems that the original developer missed

- in some cases having someone more familiar with other parts of the system look at it who can tell if it won't interact well with something else

- ensuring there is at least one other person familiar with the code

- a learning opportunity. The author can learn from feedback from the review, and the reviewer can learn from the code in the change. Especially important when the author and reviwer have differing seniority. When I mentor a new employee, I add them as a reviewer to all my PRs so they can see how I do things, and review all their PRs so I can provide guidance. And sometimes I even learn things from them!

- yes, catching bugs, although this should not be the primary mechanism for that, and I agree is not the most important reason. It is especially important for security and performance bugs though, as those are harder to catch with automated testing.

a4isms 2 hours ago||
Another—very old—rationale:

People write code differently when they know that it will be reviewed by people who will not only comment on it, but also form long-term impressions of the submitter's competence and fit based on the code that is reviewed.

dotancohen 1 hour ago|||
I've always felt that this is and advantage to open source software. The vast majority of open source software that I've bothered to look at the code for used best practices, was reasonably secure, and was above all maintainable. The bespoke projects that I've worked on at various companies? Complete spaghetti messes almost all of them.
skydhash 3 minutes ago||
Pretty much. I use OpenBSD and the basic stance is that you need to look at the code of the system and the various software in ports. Because the only way to get timely support is you helping yourself and then the community will help you. And if you find some hackish code, there’s generally a good reason it’s that way.
freedomben 2 hours ago|||
This is the big one IMHO. I've been part of teams where there was zero code review, and where the code reviews were intense, and for sure people write much better code (generally speaking) when they know it will be reviewed. We all do it, even if subconsciously.

I do advocate a balance though. Ridiculous code reviews tend to slow the process down immensely, which is good for some things but bad for others. Finding a good balance is super important IMHO

levl289 1 hour ago|||
OP is Short-form false-dichotomy. Thank you for this perfect response.
urig 2 hours ago|||
100% agree. It's as if you read the first sentence out of my mind. Thanks.
ivanjermakov 1 hour ago|||
Similar to #3:

- having someone more experienced in that subdomain catch problematic parts and inconsistencies with existing code.

boie0025 1 hour ago|||
I agree with all of this, I read into the "single purpose" of understanding the code and complaining about what you don't understand implying that if you understand it, you will be able to point out and comment on things that are wrong /foolish/unsafe/etc after understanding it. From that perspective on the OP, it makes sense to me. Particularly with regard to modularity and factoring; once I understand all of a gigantic PR I will have modeled it in my mind and will begin to either see that it will be maintainable, or will be a total nightmare one day... or somewhere in between.
boie0025 1 hour ago||
After a re-read, I realized the claim wasn't "single purpose", it was "primary purpose", in which case this makes even more sense to me. I guess everything else comes from understanding what's in a given PR. It is difficult to find bugs in code that you don't understand, and it's difficult to understand code that doesn't follow convention, etc. I think I've worked this way and just not thought about it from this perspective. I review a lot of code, and what I generally do is fire up my editor in the relevant repo and follow along. If there's a method call to outside of the PR, depending on what it is and what I know about it, I'll pull that up in my editor and review there to make sure I understand what's happening. That understanding is where the comments come from. Maybe "I understand this and it's right" or "I understand this, and it seems wrong because [something]" or "I do not understand this because [whatever]" etc. Maybe "primary purpose" isn't perfect.. perhaps "overarching goal" or similar.. :shipit:
threethirtytwo 1 hour ago||
I agree it doesn’t have a single purpose but you didn’t refute the claim about a primary purpose. One purpose to rule them all.
donatj 4 hours ago||
What I find to be maybe the single most important part of code review is knowledge transfer.

Our entire small team thumbs up a PR before it's merged unless there's a big rush on it, and this gives everyone on the team a rough idea of the state of the codebase at any given time. There's no being blindsided like "this whole system I depend on is gone" like I had happen at far more siloed places I've worked.

Beyond that, it gives a forum to ask questions about how things work to further build understanding. On a high functioning team, every developer should have at least a modest understanding of the entire system, including parts they never touch.

Another important feature is just the institutional knowledge check. For instance recently I made a small change to a table and a coworker pointed out that there was a microservice I wasn't considering that wrote to that table that would break (yes, sharing tables is bad design, unrelated). I had no idea this microservice existed let alone had access to this table. The institutional knowledge check here though prevented a larger issue and potential data cleanup situation.

Aurornis 3 hours ago||
> Our entire small team thumbs up a PR before it's merged unless there's a big rush on it

This has been tried by a couple of my past managers.

This feels great with a small team on a slow moving codebase. If you try to force it on a larger team or expect the codebase to move quickly then it turns into a performative game of skimming the code (if that) to click the thumbs up button so you can get back to your work.

The end game was a situation where nobody was really reviewing code because everyone had their own work to do and they didn’t want to be the one person blocking important PRs, so everyone was clicking thumbs up.

cucumber3732842 2 hours ago||
This with a side helping of "when everyone is responsible nobody is"

Then again, if you're dealing with an un-maintainable minefield of a code base then "fire the whole team, I dare you" might be what you're after.

thomascgalvin 3 hours ago|||
> Our entire small team thumbs up a PR before it's merged unless there's a big rush on it, and this gives everyone on the team a rough idea of the state of the codebase at any given time. There's no being blindsided like "this whole system I depend on is gone" like I had happen at far more siloed places I've worked.

How large is your team? Because I don't think that would scale beyond maybe five engineers

I'm a huge proponent of automated testing, because that catches things like "this whole system I depend on is gone" even if the guy who depends on it isn't in the room

I'm also a huge proponent of shared ownership of ... everything, really. It's natural for people to kind of own different pieces of a codebase, especially if it's a component they created, but that leads to silos and low bus counts. There shouldn't be one guy who owns one system that depends on one other component

rowanseymour 4 hours ago|||
We even find ourselves creating PRs in situations where the code is going to be merged immediately anyway, and tagging other devs, just so they have a convenient way to see what got merged and why. So people don't lose track of what is in the codebase.
jonahx 4 hours ago|||
It's a good practice. Worth mentioning also: the same can be done with ordinary git log, assuming everyone is using git well. A proper git log of yesterday's work can be like your work newspaper with coffee.
laybak 3 hours ago||
this seems like a chain of good practices. though I find it hard to stay disciplined about keeping commits well scoped and well described
morganherlocker 53 minutes ago|||
You can setup most PR systems to squash on merge using the first commit's message, then enforce that the top commit message is prefixed with a ticket ID. This practice has many benefits: readable git log, easier git bisect for tracking down regressions, it becomes easy to find all commits associated with a block of work, more useful git blame.
jonahx 3 hours ago|||
Becoming very comfortable with "rebase --interactive" and other cmds for editing your (local!) history before merging helps a lot. Once you are, it only adds 5m or so of extra work to most PRs. And while acquiring this knowledge used to be difficult, LLMs make it very easy these days.
duskdozer 3 hours ago||
I would also recommend an editor designed for rebases. I use the nodejs rebase-editor TUI (though it looks like the old non-vibecoded releases have been removed from github, so unclear on the current availability of this one) which makes it easier to organize
fusslo 3 hours ago|||
this is a great way to train people to ignore PR emails/notifications
rowanseymour 2 hours ago||
Maybe but those people are also having claude summarize their inbox and get nice little daily reports on things they might want to look into.
6LLvveMx2koXfwn 3 hours ago|||
> For instance recently I made a small change to a table and a coworker pointed out that there was a microservice I wasn't considering that wrote to that table that would break

If code reviews are important, where does testing sit? Presumably if the coworker had not been part of the code review something would have stopped the breaking change making its way to prod?

chii 3 hours ago|||
> something would have stopped the breaking change making its way to prod?

or a prod outage causes the knowledge to be experienced.

marcosdumay 2 hours ago|||
I'd guess testing is done only for the software being deployed, not for that other microservice.

At least, that's what people do by default.

koolba 3 hours ago|||
> Our entire small team thumbs up a PR before it's merged unless there's a big rush on it, and this gives everyone on the team a rough idea of the state of the codebase at any given time.

For non trivial or chore updates a second pair of eyes is always a good idea. But it’s not possible to scale out “everybody reads everything” to a large N. The problem is that nobody could keep up with that ad the reader when there are some huge number of things to read. That’s why we delegate, create docs, and have overview sessions.

chrisra 2 hours ago|||
Decisions by small groups should be the default. Others only need to be involved if the risk/consequences of failure are high.

I started ignoring all PRs from our large team because we had a similar policy. My teammates can handle, they don't need me to check on each PR.

abirch 3 hours ago|||
Complexity is caused by Dependencies and Obscurities ~ John Ousterhout

Looks like you had both.

Scubabear68 2 hours ago|||
Based on your description, I don't think the process is working.

You describe a shared database, micro services you aren't aware of using the same database, and a desire for everyone to have a rough idea of the state of the codebase. And things breaking unexpectedly being caught by code review.

You have a bigger problem here of a system you can't reason about very well. The code review will help here, but I think you have bigger discoverability problems based on what I'm reading.

As others have said, what is needed is automated testing that would catch this sort of problem automatically without needing a human in the loop saying "Oh, wait...". We still want/need humans in the loop, but they should not be the only safety net.

abtinf 3 hours ago||
[flagged]
sjburt 4 hours ago||
My attitude has always been that code review is best thought of as the gate where code goes from being owned by the author to being owned by the team or project. The code I'm reviewing is not your code, it is code that is about to become our code.

Maintainability is a major factor in that, of course.

dude250711 4 hours ago|
Such a luxury, I am envious!

Our team started using AI, so I switched to a simple method: no comments, and a binary "is this batshit crazy or passable" approval decision rule.

Saving myself time and sanity.

Sharlin 3 hours ago|||
In other words, AI code is owned by nobody.
randusername 3 hours ago|||
AI code is owned by owners and society is figuring out in real-time if code has some inherent value without humans that understand it.

I'll be really interested to follow what comes out of the Bun team.

kibwen 3 hours ago||||
It's not innacurate to say that AI code becomes legacy code the instant it's merged.
nijave 2 hours ago|||
Tragedy of the commons
acedTrex 3 hours ago|||
Yep, without a decent team culture this is what LLMs force, the slop deluge is just overwhelming without leadership asserting "no, stop"

Ultimately you just let bugs through because the alternative is spend an inordinate amount of time communicating with someones claude through PR comments about what the shape should be.

Career was fun while it lasted. I suppose its a blessing a to get to do a job that you enjoyed for as many years as I did.

morganherlocker 44 minutes ago||
Disapprove and ask for a call where the author must verbally explain the changes to receive approval? This seems like a solvable problem, and one that already existed in repos with many contributors of varying skill (open source, bigco with lots of interns). Letting bugs through is an even bigger time sink.
titzer 4 hours ago||
This just makes reviewers and authors lazier.

The purpose of code review is multi-faceted. Hard to maintain? Yes. Might have bugs? Yes. Can be done simpler/cleaner? Yes. Is in line with project code style? Yes. Get someone else to also understand the code? Yes. Onboard junior team member? Yes. Sanity check design decisions? Yes.

This flippant note is mostly more self-justification for being a lazy code reviewer.

n4r9 3 hours ago||
Agreed. There's a whole checklist of what to look out for:

- Does it functionally achieve what it sets out to (as per tacker issue or PR description)?

- Does it have extraneous code? Leftover debug prints, private API keys etc...

- Does it have any obvious defects? Memory leaks, un-handled edge cases, security flaws, obsolete API calls, etc...

- Could it be more understandable? Add/remove abstractions, better variable/method names, more/less functional etc...

- Is the style consistent with the codebase and/or style guidelines?

- Are there obvious performance improvements? Hashset instead of list, lazy evaluations, etc...

- Is it sufficiently well tested?

I'm not even sure I agree that if I can't understand the code then it shouldn't go through. Some code is just really hard to understand. The aim is to make it as easy as possible to understand, while being functionally correct.

andrewvc 3 hours ago|||
Indeed, we worked hard as an industry to move beyond "blame the author" to "blame the process/team".

Unfortunately this article is just bait, may as well say "People seem to think dinner is about eating food, but it's not about eating at all, actually it's about connecting with family and friends!". It's a specific type of poorly constructed reductionist argument that plays well on HN.

connerBown 2 hours ago||
Totally agree. With the speed at which code can be written and deployed today due to AI, the emphasis should shift onto the review. Does the code actually run properly, are all of our assumptions correct, and are there any unintended side effects?

I've found the review and debugging process to be much more time consuming than writing/producing code, and just "praying it works" never ends well.

whilenot-dev 3 hours ago||
> it is not in general possible to find bugs by examining the code.

Oh hell yes it is, at every level of abstraction even. We call those things code smell... A file descriptor that hasn't been closed, a coroutine that hasn't been awaited, a big try/catch block that just falls back to some value without logging the error, wrong type castings, etc.

As a general rule: Neither type checker, nor compiler, nor runtime should ever be steps that merely want to be satified - work with these steps and treat them as the valuable tools they are, and never work against them.

ak217 11 minutes ago||
The primary purpose of code review is whatever your organization decides it wants it to be. The post makes a good enough point but undermines it with this dogma.
BariumBlue 4 hours ago||
True - the biggest thing I want to catch in an MR is "will this change lead us onto a path that is uglier, buggier, less maintenanable".

People will generally copy and follow existing patterns, so for example if you let somebody add a new internal date time format, then soon your codebase will bifurcate and there'll be multiple inconsistent versions roaming around.

The other stuff (minor bugs, overly verbose code) can easily be fixed. Paradigm rot cannot.

faitswulff 3 hours ago||
Code review isn’t a singular thing. There are many reasons for code review, like knowledge sharing, liability laundering, code quality, regulatory compliance, etc. As usual, what purpose it serves depend on your use case.
razemio 3 hours ago|
Thank you! I find it somewhat ignorant to say, most people do not understand the reason behind a peer review, while obviously being missinformed. To even believe that it only serves a single purpose somewhat tells me, that the author is missing experiences with other teams / people.
kasey_junk 4 hours ago||
It’s probably important to define what sort of code review you are talking about when making broad claims about it.

GitHub style asynchronous pull request review with inline comments is the norm now, but it’s not the only sort of review there is. I’m old enough to remember processes that include in person reviews that were more like a dissertation defense or conference presentation.

The literature around this that shows that code review is a useful quality practice (in fact one of the only useful quality practices) comes mostly from much more structured review processes than we see now.

My personal opinion is that before llms the GitHub style pr review was for making us feel better about our processes (or governance checkbox checking) and the age of llms will sweep them away as the cost/benefit is so much worse now.

goalieca 4 hours ago|
On one of my first jobs, I had printed off change packages which had to be reviewed and signed. There was even a person owning the final copies in filing cabinets. This was more like traditional engineering and everyone had to think of software as more permanent.
pmelendez 4 hours ago|
Sure, ensuring maintainability is one of the benefits of code reviews, but I think it is a bold claim to say that's the solo purpose. For example, code reviews is also a tool that allows teams to get inform of the changes in the code and share responsibility of the whole code base.
More comments...