>"Pull requests were invented to gatekeep access to open-source projects. In open source, it's very common that not everyone is given free access to changing the code, so contributors will issue a pull request so that a trusted person can then approve the change. "I think this is really bad way to organise a development team. "If you can't trust your team mates to make changes carefully, then your version control system is not going to fix that for you."
This guy (not the post author, but Dave Farley, the guy who wrote the above excerpt) has never heard of "trust but verify".
PR is about verifying, having another set of eyes for anythine the original dev might have missed, giving an opinion before something on a branch goes into permanent git history, and so on.
This is completely orthogonal with whether you trust your team members or not. Besides "blind trust" is not the only form of trust.
As far back as the year 2001, way before Git existed, a small startup I worked for used mandatory code review for all commits. You couldn't just upload whatever garbage and call it a day, it had to successfully compile and be reviewed by a randomly selected peer.
These days Pull Requests are used to enable the same workflow.
Actually no, and IMHO a significant contribution to that failure was that they had bred a culture of cheating where developers would bypass these controls. For example, one of the managers would get his brother to approve his changes, and vice-versa, even if the code was total gibberish.
Generally, the lesson I took away from that place is that you can blow $10 million in seed money and end up with worthless code if you don't pay attention to the basics. They were in the right market, at the right time, with the right product, and 3-5 years ahead of the competition, but you can't sell non-functioning software.
My favourite example (of many) was that they used a source control system that could cache Java ".class" files to enable incremental compilation at all times, even without IDE support. This was literally a check-box that someone un-ticked years before I got there. I re-enabled it for myself as a local setting override and compile times went from 30 minutes to 5 seconds. That inner-loop speed-up was just insane, I could fix bugs in minutes that would take the rest of the team days.
Speaking of code review, the code that I saw getting "rubber-stamped" was so bad it was unbelievable. One guy spent months working on multi-threaded animation code that I replaced with a single line of code. Which actually worked, didn't stutter, and didn't leak threads, or use threading at all for that matter.
The essentials matter! Proper code review, well set up tooling, hygienic build pipelines, etc...
Having a code review policy is like having speed limit signs on the motorway.
Without enforcement, you can make the argument that speed limits don’t save lives because everyone drives as fast as they can anyway.
Same thing for code review. If it’s not policed by management, then it does nothing.
I saw one place that would send alert emails if a commit was approved too fast, assuming that someone must have had it insta-approved by a friend as a favour.
well certainly if you have incompetent developers in senior management, but is that a surprise to anyone? I don't think a good git workflow or whatever could ever fix something like that
This is interesting as a counterpoint to trusting, but it’s funny, I’ve never thought about PRs in either of those terms, not within a team or company anyway. The Pull Request can also be about the code writer asking for review, asking the question ‘is this generally the right way to go?’ The funny thing about projecting ‘trust’ and ‘verification’ onto the process is that PRs simply do not prevent all or even most accidents, automated builds and tests are better at that. PRs can help steer things in the right direction, and they’re good as one of many tools for mentoring people about code they’re unfamiliar with. But PRs can also be used as the opposite of verification: if the reviewer is responsible for verification then PRs can be a CYA where the reviewer is implicated in a mistake along with the writer.
As someone who works in (and leads) the development of a 100k LOC project with four developers (project lead, tech lead and two junior developers) I see pull requests as a way for other members (often me or tech lead) to 1) spot clunky code 2) spot things that already exist in the code and should be unified 3) a way to teach and be taught about how we want the code to work.
I know that "my" team members look at PRs as more of a safety net for oopsies than evidence of lack of trust between team members. We allow self approval of PRs so that if/when someone is the only developer working they can still push code if needed.
When I started in the project we did not use PRs and we all agree that they have made the code better and that they have unified our coding style (the fact that Visual Studio/ReSharper auto-formats changed code also helps with that aspect).
I've had groups where I eventually 'approved' a PR, because... deadlines... even when it wasn't meeting defined standards (primarily around tests/docs). Comments like "please add a test" or "please document X" were just ignored (both inside the version control system and in slack). Eventually, I would merge, and occasionally, we'd hit some bug, trace it back to that, and I would catch blame for "passing" it. Not the person who wrote it, not the same person who didn't test it or add any automated tests. I did, even though I was doing so under protest. The couple times I added to their PR - added a test to verify behaviour, for example - I got called out for "stepping on others' code". Apparently if you went out on smoke breaks with 'the guys', they were 'cool' wit h you and that was the political way of getting people 'on your side' to go along with stuff. Very ... odd dynamics. Apparently, if you're dating the dept head's niece, writing tests was optional, but I never got that memo.
That sounds like a team problem. In my team, contents get addressed and team members don’t approve PR’s they don’t feel meet standards even if there are deadlines.
Glad things get addressed for you. In some places I've worked, they don't. They carry on like my post above.
I did have a 6 month contract with a fairly tight team back in 2019, and it was definitely overall a positive experience. Mix of experience levels, and they were growing perhaps a bit too fast, but there was enough balance and communication. Most people were on site, which did, I think, help out some. I know "remote only 100%" is everyone's favorite 'go to' mode (mine too) but there's some extra discipline and rigor the whole org needs to have to function smoothly to get the best out of a mostly or fully remote workforce.
> This guy ... has never heard of "trust but verify"
I think he has, and actually knows where it comes from and what it means.
"Trust but verify" is a Russian proverb that was used to describe the hoped-for and treaty-mediated relationship between the Soviet Union and the United States during the Reagan-Gorbachev era.
So arch-enemies of a Cold War that are pointing world-ending nuclear arsenals at each other and slowly coming to realise that maybe it would be better to limit those by negotiated treaty.
If that's a good description of the relationships in your team, then I think David Farley wasn't just right, but actually being very diplomatic ;-)
Disagree. Mixing random style fixes in-between actual code just makes reading changelog more annoying. Sure, if you are refactoring some function put format changes with it but that's the most you should do.
If you want to make those:
* make it in separate bunch of commits
* make sure team uses tooling that will not allow new style problems to happen, like mandating certain formatter with certain settings before each commit. Most editors have hooks to do it automatically, and if they don't, Git have them too
It also makes git blame less useful althought it now have options to ignore moved code or whitespace changes so it isn't as much of a deal now.
It seems like your definition of "churn" is "all those petty and annoying things I shouldn't be concerned with or can be easily automated away". By that definition, of course, churn should be avoided when possible.
However, plenty of useful changes also qualify as churn, for instance:
* renaming stuff
* extracting a function to split a block that may have been fine for the author, but that you found hard to read. And yes, sometimes, reviews don't catch all those.
* Add a comment to provide context to an algorithm after you talked with business
All of these things (and others) are pretty valuable, and the cumulative effect of reducing friction against these changes add up to much better codebases, with less places where no one wants to work because of abandonment. This kind of light touches should take a couple minutes while reading your codebase, not half-a-day because you need to fill a PR and wait for someone to be available.
Are those relationships really trusting then? Or is it an optimized way that catches fraud before it is too bad while reducing the increased expense of avoiding fraud?
If you have to get all expenses approved before they are charged to the card, then it adds much more overhead and planning which decreases efficiency. The amount of fraud that happens by letting someone charge things and verifying it later ends up being a smaller expense than the amount of preplanning.
Similar with interviews. The amount of time wasted by interviews of someone who doesn't pass a background check is a small cost than the cost of doing interviews of everyone before doing a background check (not just the cost of the background check, but having a longer interview process leading to missing out on candidates and more candidates getting part the way through the process and dropping out because another place gave them an offer).
Imagine a father trying to "trust but verify" the paternity of their child. If there has to be verification, it will be taken as a lack of trust.
This is how I see the pull request example with credit cards and traveling.
You are on your way to a conference. You are at the airport and want to buy a coffee and a donut. You make a request... You've been waiting for almost an hour now. Nobody takes a look at and you still need multiple approvals, so you ping Barbara in charge of approvals to get the ball rolling, she says she will take a look after a meeting she is currently attending because she wants to be careful with what she approves. Oh, Tom, her colleague asks you why don't you eat salad and orange juice, it's cheaper and faster. You have a quick call with Tom to explain why you want a coffee and donut. Awesome, you convinced Tom to approve in just under 20 minutes. Barbara is back, but she doesn't respond... She is MIA, she went for breakfast... Your plane is leaving, so you skip breakfast. You arrive, by the time you land Barbara approved your breakfast, but now you are in a new country and circumstances changed, so you update your request. The earlier approvals are now invalid. You go through the whole charade again...
Pull requests assume you cannot trust your colleagues to make reasonable choices and you also don't trust your automated tests to catch anything insane (buying a 100k car for breakfast in the above example), so you have to gatekeep and slow down your team to make sure (?) that the code they commit is good.
I don't assume my colleagues will always make "reasonable" choices and furthermore correctly express those choices into code any more than I will myself! In fact perhaps most of the issues I find in PRs are after reviewing my own ones (often it's silly things like accidentally including files/commits I shouldn't've have). Plus knowing someone else must've approved my PR stops me feeling quite so silly if it does end up breaking something :)
The breakfast order analogy to me falls down because not being able to merge a PR into the mainline branch immediately is exceedingly rarely something that holds me up - there's always plenty of other stuff to do. And the time I spend reviewing PRs is valuable in its own right, even if I find nothing wrong (understanding the codebase better etc.). Sure the odd PR or two for a truly trivial change slows up the works a little but they're pretty rare and a it's a small price to pay.
Having said all that, I'm genuinely interested in what studies might have been done to genuinely guage the effectiveness of the PR/review process. I've certainly worked on some (open source) projects where it clearly was a major drag on productivity, as very few people had approval rights (wherever I've worked professionally all devs have the same rights - single approval from any other dev is always sufficient).
There are few reasonable choices in programming. There are a lot of choices with tradeoffs, programmers certainly aren't omnipotent of tradeoffs. Peer review also isn't just about you and your code. A fair amount of the time it's a tool for democratizing knowledge or teaching in the same way that reading incidents occasionally is.
If your entire process is broken and toxic, pull requests aren't going to work for you, but that's not a problem with pull requests, that's a problem with your entire process being toxic and broken.
> You make a request... You've been waiting for almost an hour now.
1. Don't design your process so that waiting an hour to merge a pull request is going to be a problem as bad as waiting an hour to eat. Why are you waiting? Move on to the next thing. If it depends on the pending pull request, branch the pending pull request, and work on the new branch--if you have to integrate feedback you can rebase it into the new branch. Occasionally this will cause problems, but they're usually rare.
> Nobody takes a look at and you still need multiple approvals,
2. Choose a number of approvals that is appropriate for your team. If you're writing software where the consequences of a mistake are very high that might be a high number, but in most cases in my career, 1 has been a perfectly reasonable number of approvals. In some cases, 0 is the appropriate number of approvals.
> so you ping Barbara in charge of approvals to get the ball rolling, she says she will take a look after a meeting she is currently attending because she wants to be careful with what she approves.
3. Don't make one team member in charge of approvals--that's almost guaranteed to make that person a bottleneck. Anyone on the team with the knowledge to evaluate the code effectively should be able to approve it. I've been on one team where one guy was in charge of approvals and wasn't a bottleneck, which was because he did nothing but approvals. That worked great for everyone except him--his life was miserable until we scrapped that idea.
> Oh, Tom, her colleague asks you why don't you eat salad and orange juice, it's cheaper and faster. You have a quick call with Tom to explain why you want a coffee and donut.
4. If this sort of exchange is about personal preferences like what you eat or some stylistic nitpicking, then you have to have a team discussion about making sure that we prioritize code review feedback that's actually important and not bikeshedding. But in a lot of cases, Tom is asking because he legitimately doesn't know, and explaining your reasoning to Tom is part of your responsibility to help your teammate keep their understanding of the codebase up-to-date. This isn't wasted time, it's one of the benefits of code review.
> You arrive, by the time you land Barbara approved your breakfast, but now you are in a new country and circumstances changed, so you update your request. The earlier approvals are now invalid.
5. If different pull requests depend on each other or are touching the same areas of the code, ideally do them serially rather than working on them at the same time. If they really need to be worked on at the same time, then you need to communicate earlier in the process to be sure you aren't stepping on each other's toes, and it would make sense for the two people working on the same areas of code to review each other's pull requests. Not doing pull requests wouldn't fix this--this is just a challenge of multiple people changing the same codebase.
> Pull requests assume you cannot trust your colleagues to make reasonable choices
Sometimes reasonable choices are costly mistakes.
Even the best coders make mistakes, and unlike a mistake on what food to eat for breakfast, code mistakes can be very costly.
> and you also don't trust your automated tests to catch anything insane
Automated tests don't catch when your architecture is bad, or when there was a mistake in the specification, or when you've introduced a security vulnerability. Sometimes the mistake caught in code review is in the automated test.
> you have to gatekeep and slow down your team to make sure (?) that the code they commit is good.
Good code can always be better. I, for one, want people looking at my code to make it better. Obviously there are some tradeoffs here, and code review shouldn't be a massive bottleneck in your process. Done well, code reviews speed up your team: the earlier you catch mistakes the quicker they are to fix.
>If that's a good description of the relationships in your team
That's a good description of most teams, open or closed, private or public. Hierarchies are universal, for good reason. I'm not entirely sure what hippie commune David Farley programs in where Intern #15 can just merrily hit the big red nuke button and send everything into production
In open source projects pull requests are great because you don't trust people you don't know, in private companies you don't trust people because you know them. Hell I don't trust myself enough and I'm glad processes like this exist
Really? "Arch-enemies whose stated goal is to destroy each other and who are pointing world-ending nuclear arsenals at each other" is a good description of most teams?
It's just natural. In any sufficiently complex organization you have internal conflict and competition for resources, often conflicting goals and adversarial relationships that you have on the outside. Internal conflicts can ironically enough be more vicious than external conflict. Any successful company must have processes in place to function despite of that.
A successful tech company in particular can go from 5 to 500 people in just two years. How do you run on trust when 95% of people don't know each other?
You can hopefully trust your colleagues to make a best-effort attempt to fulfill the requirements they are given and e.g. not intentionally introduce bugs or security issues, but everyone makes mistakes, so your software development workflow should account for this - and code review catches at least some of these mistakes.
Why do you discount the ability of a bad commit to nuke your application? Should firefighters go into buildings without gear because it would show a lack of confidence in their abilities?
I think these days the emphasis has changed a bit from "required reviews" (more senior dev or peer signs off on code) to "request review" (developer __wants__ the review, because it's a good learning experience and a way to share responsibility for the code (and any problems it might cause down the line).
Anecdotal, but I feel like I see more teams where that "Merge" button is available to most people, but in general doesn't get pressed until the code has at least one review, whereas before it was often only accessible to a select few, or a review was required before it activated.
I got into a bit of a fight over whether or not "Merge" should be an option on one's own PRs. "Trust" suggests that a developer should be able to review their own code changes, especially for small/trivial things or "expert" level things that no one else feels qualified to review and just leave open for weeks/months instead of even trying to review it (in turn often making it harder to merge without conflicts).
There's a great value in "every change was peer reviewed by someone", of course. There's also a value in "not every change is significant and sometimes you can trust developers to know that".
You can possibly install the fear of accountability if a bug happens in code that the reviewer was the developer until they want that learning opportunity of a code review.
In my experience, most of the "expert-level" developers almost always would love any feedback anyone wanted to offer because their imposter syndrome tells them it is awful and not to sign off on it, but are also more likely to get blocked if their PRs don't move fast enough.
Yeah. I trust my team mates, but we use PR’s and approvals as a means of doing code review to make sure things don’t slip through and that everything has had multiple eyes. It’s not about trust, but improving quality, because we’re humans and humans miss things or make mistakes. It also provides a nice record of why changes were added, a place to link tickets/documentation, automaton hooks etc.
I love PR’s as a concept and tool. I also often use PR’s to merge changes on my personal projects even when I’m the only developer.
We need to get to the point that a lack of trust isn't some inherently bad thing. I don't trust myself to never make mistakes. A PR is a way to get others to add a layer of verification to help catch bugs. I don't even trust the PR to catch all bugs, but it is a cost effective for the amount of bugs it does catch. Why is this lack of trust a bad thing? Humans are imperfect, we should build systems that require verification because we cannot trust ourselves to never make a mistake.
Also, when you're working solo, PR's are just a great way to look at a bunch of changes before you smoosh everything together because even with a full history it's sometimes tricky unpicking everything.
I believe in this context, PRs refers to a process in a team about steps to check code that goes into trunk, not to the tools that were developed to do the task.
Just a small note: "trust but verify" is not a reasonable statement, and it was also unreasonable in its original context, which I encourage anyone to research.
Everybody introduces bugs, and for a lot of classes of bugs the best way to prevent them is manual code reviews. Not everything can be easily caught by CI and tools.
"If you can't trust your team mates to make changes carefully..." Buddy I don't trust myself to make changes carefully
The way I'd put this is: writing code and reviewing code are - not two different skillsets maybe, but - two different headspaces. Code review is a kind of "technical QA", and indeed I am pretty sure that you see the same basic practice in factory work (where we get the concept of "QA" from).
In OSS, after merging a PR, generally you can't get back at the author and make them do a follow-up change, because they are volunteers. A certain degree of gatekeeping is necessary. In a company however, you absolutely can just assign such a task to the author or someone else. That means it's possible to integrate changes into the main branch faster, which is very beneficial.
I've seen teams that try to mimic OSS development and only merge absolutely perfect PRs, dragging out long-living branches and integration. At some point the perfectness can't keep up with the plan, huge PRs are suddenly reviewed hastily, and the end result is worse and slower.
Bottomline: PRs can be used slightly differently in companies to improve speed and reduce overhead.
I'm specifically talking about small (or reasonable) tasks that get blown up in the PR phase because of perfectionist reviewers.
Requesting for example a big architectural change in a pull request is not a good idea IMO. Ideally it should have happened in the design phase, but overspecifying everything is not the solution. Now, in a company, a request for a bigger change can simply be mentioned in the PR, and the tasks can then be created and assigned as follow ups.
This is usually not possible in OSS; the author of the PR might agree to the necessary changes but later not do them for whatever reason, and there might be no other volunteers to "clean up". Therefore it does makes sense to gatekeep and drag out some PRs in OSS.
Also if the team is mature enough, the PR can be reviewed after the merge, so the necessary changes can be made with the current code already integrated and already running in production. The downside for this is that the team needs to have some discipline to review the already merged PRs and the developers needs to be disciplined to organize your time to make the fixes after the PR merged.
Pull requests enforce coding conventions. The simple fact that someone is going to look at the code you're contributing is enough of an impetus to write better code. Prevents us from self rationalizing lazy decisions and the like. IMO that is really the idea, to mimic that extra level of care that is taken like when submitting to an open source project.
> "Pull requests were invented to gatekeep access to open-source projects. In open source, it's very common that not everyone is given free access to changing the code, so contributors will issue a pull request so that a trusted person can then approve the change.
> "I think this is really bad way to organise a development team.
> "If you can't trust your team mates to make changes carefully, then your version control system is not going to fix that for you."
Man, I don't trust myself to be perfect. I trust myself to be careful but no amount of care makes me infallible. I make mistakes. And if we can catch my mistakes early by getting a second set of eyes on them, they're less painful for everyone to fix. When someone spends their valuable time catching my mistakes, they're doing me a favor.
Distrust might be part of the origin of pull requests, but that doesn't have to be the reason why your team uses pull requests. It can be about catching each others mistakes to learn, create a better product, and get better rewards. The tool is yours to use how you see fit--don't let ego prevent you from making it useful.
With all the precautions the author takes, he ends up with a weird take:
> If you take away the appeal to trust, though, there isn't much left of the argument. What remains is essentially: Pull requests were invented to solve a particular problem in open-source development. Internal software development is not open source. Pull requests are bad for internal software development.
The specific point he tries to reword exists to explain that not everyone needs as much trust than open-source, and, therefore, that not having PR isn't a fatal flaw outside of open-source. The people who use it do so within a discourse along with other points explaining what they gain from forgoing PRs (usually, better continuous integration).
I don't buy the whole discourse about not using PRs, but I'm also not sold on the idea of dismantling a coherent discourse into separate talking points and demanding that they should stand separately. I'm also not a fan of rewording someone else's point and slipping a big non-sequitur in that rewording.
It seems like we are reaching the same conclusions as Dave Farley on our development team. We have pivoted to just let everyone merge in their stuff and do "reviews" retroactively when we stumble upon code not up to the standard we set.
The reasoning behind this is exactly that we trust individuals on the team to merge. and because reviewing in the traditional sense seems to be a formalisation of distrust: Something you do when you don't trust your peers to implement and put in production properly tested code.
I would certainly fail my SOC2 audits if I told the auditor that anyone on the team can merge in any unreviewed change and that gets pushed to production, but not to worry be cause we'll catch any issues eventually.
I trust my peers, but we all make mistakes and we do code reviews because we understand that working together can catch issues sooner. We aren't overly picky or mean during code reviews, but we make sure there aren't any glaring issues, and if there are, we talk about them and work together to fix them.
I don't really have any opinion about PRs versus trunk-based development, but I do have a small insight that I think is useful when you're thinking about which one to choose. The main advantage of trunk-based dev is speed. You don't have to wait for a review of work. You're trusting the team to merge things that won't break stuff. That's awesome, but if that's the case then you should also be able to trust them to review PRs quickly enough that they don't block work. Equally the converse is true - if you can trust your team is motivated enough to review PRs quickly they you can probably trust them to do work together well enough not to really need PRs.
If you can trust the team with one and not the other then something is wrong. There shouldn't be any "this way is better than this other way" argument. Your team should be capable of doing both. If it isn't then neither will work very well. You're going to have problems, conflicts, bugs, etc no matter what you do.
Believing that the team should stop PRs because they're too slow, or they should stop trunk-based dev because pairing takes too much effort, are both red flags. They're both saying that the team has a problem to address.
> First, it includes an appeal to trust, which is a line of reasoning with which I don't agree. You can't trust your colleagues, just like you can't trust yourself. A code review serves more purposes than keeping malicious actors out of the code base. It also helps catch mistakes, security issues, or misunderstandings. It can also improve shared understanding of common goals and standards. Yes, this is also possible with other means, such as pair or ensemble programming, but from that, it doesn't follow that code reviews can't do that. They can. I've lived that dream.
I think that the other counter-argument discussed in the article can't confute Farley because, contrary to the author's stated intentions, it is in fact a straw man. The author focuses on the benefits of "asynchronous" workflows over "synchronous" ones: i.e., in his words, reviewing pull requests is easier (for an introvert like himself, at least) than dealing with the social stress involved in pair/ensemble programming.
Isn't there a bit of an elephant at the other end of the room?
PR are not only about placing a bouncer at the club door to, figuratively speaking, check entering members for excessive drunkenness, they are about placing a bouncer at the door to give access to a wider group.
This is quite obvious in open source, where the PR model has been a revolution in terms of lowering barriers of entry. You can join the party without asking for the keys. But similar barriers exist in companies. When they don't exits on the technical level (they usually do, sometimes to the point where collaborating teams wouldn't even know what version control the other side is using), they exist on the social level and a model like PR/MR can help nudge both towards the "internal open source" mindset.
The original purpose of PR was to accept patches from outsiders (people without write access to the project repository), as an alternative to sending patches to the project mailing list. In open-source development if there is a core team with write access to the project repository, i would be surprised if all patches from members of the core team were merged through PR process.
I think we have GH set up so we can make direct pushes to even main, we just agreed to do PRs because frankly I don’t even trust myself to do everything right and optimal. PRs are nice for reviews, but also for testing and discussion, sometimes just to share something you are not sure if it is the best. It’s just a way to present changes to people just trust (or don’t) and to have a place for discussion.
That’s how we treat PRs anyway. Occasionally I or a colleague indeed accepts their own PR (or use direct pushing) if it’s really minor (think a doc string) and need to get something out. So PRs are not just for envs without trust.
A pull request is when one maintainer asks another to merge branches.
If you’re interpreting this through the lens of a single main/master/trunk and multiple branches, then like both Farley and the author, you’re trying to interpret a foreign culture (distributed version control) through a parochial lens (single trunk-multiple branch).
The DVCS world is one of many sources of truth. For example, in the kernel community, Red Hat, Google, Debian, Android, etc. all have their own branches. Linus has a particularly popular branch. None of them are the main branch.
IMHO PR/MRs mainly make sense specifically because git sucks for multiple people working on the same branch, so it makes more sense to split even small work items off into a separate branch.
And as an UI workflows which 'formalises' the discussion that needs to happen around a merge anyway they are quite nice.
(e.g. without PRs you still need to talk about "hey, I'm going to do this thing" => "hey this thing is ready" => "ok, let's merge this thing")
It frustrates me the one size fits all approach often taken to software development best practices.
If no one is to review the code, then all code is either written by pairing/mobbing, or else it is the product of one persons thinking, blindspots, biases and all. It's great if you work in a team that pairs in everything, does trunk based development etc; that doesn't make it suitable for every team.
We use pull requests to spin out ephemeral environments and test the changes before merging to trunk.
All merges to main is deployed across environments so pull requests help us get faster feedback if something fails.
I think pull requests get a bad rep because it is thought as a review process. We see them as short lived branches. They actually improve code quality and unwanted commits even without manual review/approval.
It's fine to allow some senior engineers to merge a pull request without going through CI and/or code review, but the discipline the PR process introduces is highly desirable, whether working on open-source or not. It's not a question of trust, it's a question of avoiding unchallenged assumptions and blind spots.
It's a "pull request" because you're asking someone to pull a commit from your branch/repo into theirs. You're quite literally making a request.
This actual change could be anything. You could just as well provide them as a patch they could apply by hand. The only formal aspects of the process, e.g. reviews and tests, are organizational. As an organization the acceptance of a pull request doesn't need a bunch of reviews and tests associated.
Originally, "pull request" was exactly what name implied, someone asked you to pull from their repository. The original Git collaboration model was that, you pulling changes from other repos and integrating them in your own, vs handing merge request.
Github co-opted the term to mean exact opposite, accepting essentially push from different repo.
I couldn't agree more. When the PR is approved then the button to complete the PR in Github is (drum-roll please) MERGE. And who is doing the merge? Me. Gitlab calls it merge request.
"then your version control system is not going to fix that for you."
Uh... Pull requests are not a version control workflow - it's a human workflow. It's also a way for the team to actually LOOK at the code that is going in and to be aware of what changes are incoming.
I mean, that's just one point, there are so many ways in which this view is fatally flawed, I am not even going to... ugh.
I know this is not trolling, but this is so scandalous, it comes across that way. This is beyond a "hot take".
Torvalds in one famous Google presentation he talked about the "circle of trust"
in relation of how we all should handle sharing code as in: "Is my repo and I accept code from a selective group of trusted individuals"
In the corporate world is more like Seinfield's Soup Nazi skit.
We are all working towards AI accepting or rejecting code changes. Humans have egos and their idiosyncratic bias/baggage get in the way of adopting or rejecting code changes in an objective manner. Githook 50/72 rule anyone?
Up to about 10 years ago I used to work on projects where up to 100 people (of those about 20 coders, the rest artists and designers) committed directly into the main branch without a formal review process, and it was ok (this was with SVN though).
Code review happened informally "after the fact", usually as the first thing in the morning when updating (each person simply looked through the changes of other people in the part of the project they felt responsible for - usually those changes were no surprises because people talked to each other before doing this).
"Post-commit" breakage was surprisingly rare, and when it happened it was quickly fixed. One just was a bit more careful checking for errors before committing changes.
I cannot imagine how this scenario could work with git though.
> I cannot imagine how this scenario could work with git though.
I cannot image how this scenario could not work with Git†. Maybe I’m missing something important about Subversion, but it’s also just plain old version control. Nothing fancy like Darcs.
†: Granted, there is a (theoretical) point where the frequency of pushes becomes so high you can no longer reasonably work on a single branch.
A possible reason is that it won't happen in git, simply because separate branches aren't sufficiently painful to motivate sharing that single hot mess HEAD. I used to work in a team where it felt like I was the only person who ever thought about these things and it was quite impressive how the switch from SVN to git completely flipped the path of (supposedly) least resistance: from separate branches only as a last ditch option for the most desperate situations to happy unbounded parallelism right until the (supposed) delivery day.
The big difference between SVN and Git is that SVN is centralized (a single linear history is enforced at all times for everyone) and Git is distributed (each user has its own local history).
Both models have advantages and disadvantages, but for many people working on the same branch the centralized model is arguably better.
(in the end, both Github and Gitlab workflows mainly try to put more 'centralization' back into git)
Most corporate git workflows using git are also centralized : the team has one upstream, and people's local repos function as mere clients to check out the upstream. Few teams pull from each other's repos.
If you don't branch and directly push what you commit, there's little difference between SVN and Git.
IMHO what makes it harder in git (for many people committing into the same branch) is that each team member has its own local history which needs to be synchronised via push and fetch (which quickly gets out of control for 'non-technical' team members). This separate step doesn't exist in centralized version control systems like SVN where everybody is always on the same timeline.
Working exclusively on branches and then merging into a common main branch pretty much fixes this problem though (that's why the PR workflow make a lot more sense in git than svn).
> I cannot imagine how this scenario could work with git though.
exactly the same as with SVN ? The one feature I could see it lacking is ability to lock file in SVN but otherwise "single master repo" work on SVN and Git is very similar
I’ve yet to try reviewing code locally, instead of in a browser. Does anyone here had a good experience of how to review code outside of the traditional browser based tools?
This topic reminds of something Joel Spolsky told me about Stack Exchange, in the context of social networks. Giving users the ability quote text when replying is something they really wanted to avoid because it causes arguments to devolve into semantics — far more so than if people had to write out responses in full. A tool like quote-replying shapes (and deforms) our ability to have productive debate.
The unit of change in software is a patch and yet most of us use completely different tools for writing patches, reading our own patches, and reading other peoples (IDE/editor, git diff/show, and GitHub/Lab respectively.)
I like the change of context that web based patch review gives me. I often find bugs or untidiness when looking at my own changes in a browser. When working with others, I’ve found the best code review to be about collaboration and sharing of ideas and responsibility, picking out unseen errors, adding overlooked refinements, giving advice, and improving the team’s bus factor.
If we’re supposed to be playing co-op instead of death-match, shouldn’t we all be in the same level?
This guy (not the post author, but Dave Farley, the guy who wrote the above excerpt) has never heard of "trust but verify".
PR is about verifying, having another set of eyes for anythine the original dev might have missed, giving an opinion before something on a branch goes into permanent git history, and so on.
This is completely orthogonal with whether you trust your team members or not. Besides "blind trust" is not the only form of trust.