Bug#903880: Bug#903815: ITP: pw -- A simple command-line password manager
On Mon, Jul 16, 2018 at 02:36:17PM +0200, Dashamir Hoxha wrote:
> On Mon, Jul 16, 2018 at 2:21 PM Holger Levsen <[1]holger@layer-acht.org>
> wrote:
>
> On Sun, Jul 15, 2018 at 12:41:36PM +0200, Carsten Schoenert wrote:
> > Hmm, do you have tried to validate your shell code?
> > [2]https://www.shellcheck.net/
> > I just pasted
> > [3]https://raw.githubusercontent.com/dashohoxha/pw/master/src/pw.sh
> into
> > and got quite a lot of problematic remarks.
>
> I've also done this now and must say/add "ouch":
>
> I have already answered this. Only one of the suggestions might be useful.
> If everything was clean, according to shellcheck, this wouldn't mean at
> all
> that the program is safe and secure and takes care of all the cases.
> I know what is going on in my program better than the mindless shellcheck.
>
I've been following this thread and it is very difficult for me to
understand why constructive criticism from others is so difficult for
you to accept.
In general, the community of Debian Developers is very concerned with
producing a high quality distribution and also with supporting free
software development. The fact that some have taken the time and
interest to critique your work is very positive. Yet, you choose to
perceive their critiques as an attack and then launch your own
counter-attack.
I don't mean to lecture, but your responses to several of the messages
in this thread indicate that you are likely a younger/junior developer.
That is not intended to be disparraging, but rather I am trying to
understand the reason for the way in which you have responded in this
thread.
In my own case, I know that my attitude in response to critique was much
like yours, when I was still a young developer who thought he knew it
all. Over the years, though, I have come to understand that I know far
less than I thought I knew when I was younger. That is, the world of
programming knowledge far larger than I originally understood it to be.
Even now, as a very experienced and senior developer, I frequently seek
the advice and review of colleagues whenever I make significant changes
to existing code, write new code, etc. I can tell you that I am a far
better and more productive developer as a result.
Another thing which seems to indicate that you are not particularly
mature as a developer is the manner in which you quickly dismiss the
results of static analysis. Certainly, there are instances where the
tools do not fully understand the meaning of your code and provide false
alarms. However, I have come to realize that static analysis is right
for more than it is wrong. So, I have adopted the position that unless
I can clearly articulate a good reason why the static analysis is wrong
and my approach is better (and defend that reason to other programmers
more senior than myself), I defer to the tool and fix the code. I do
this in several programming languages.
Additionally, the argument that you make, "If everything was clean,
according to shellcheck, this wouldn't mean at all that the program is
safe and secure and takes care of all the cases," is totally invalid.
The fact that the tool fails to catch everything is not justification to
automatically reject the things that it does catch. If the tool is
consistently wrong, contact the developer of the tool with a sample of
your code that you think the tool is incorrectly flagging, and convince
the tool developer (using a technical and supported argument) why the
tool should be updated. Your discussion with the tool developer might
reveal to you that there is a defect in your own code that you did not
understand.
I encourage you, for your own benefit to accept the criticism from
myself and others in the spirit in which it was intended: to help you
produce a better free software tool and to improve as a developer.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: