tmoertel 1 day ago

> I know I'm right on this and it appears as though the only people who disagree with me are the same people who don't write tests (and have a lot of bugs).

For the record, I write lots of tests, and don't have bugs. I even wrote a testing framework. Nobody is arguing that writing tests is dumb. The pushback is on your insistence that writing tests is all you need:

> All the negativity (downvotes) has come from people who are trying to argue that writing tests doesn't solve the problem of bugs.

Writing tests doesn't solve the problem of security bugs. Writing tests doesn't solve the problem of concurrency bugs. Writing tests to prove your code is bug free in those cases is expensive and error prone.

People who care about these things know to go beyond testing when testing isn't enough. That's why things like model checkers exist.

Nobody is arguing that tests are dumb. The argument is that if writing tests is all you're doing to get the bugs out of your code, you probably aren't very effective at preventing certain classes of problems.

For instance: Show me the tests you'd write to prove your software doesn't have XSS vulnerabilities.

1
latchkey 1 day ago

> Show me the tests you'd write to prove your software doesn't have XSS vulnerabilities.

I'd have tests around the code that renders 3rd party user input and integration tests for the display of the data.

I've built some of the most heavily trafficked websites on the planet (porn), with user input (comments) and have never had an XSS issue.

tmoertel 1 day ago

Show me the tests.

If you can't show me the tests you'd use to prove you don't have XSS problems, it's hard to believe that your tests are effective at preventing XSS problems.

> I've built some of the most heavily trafficked websites on the planet (porn), with user input (comments) and have never had an XSS issue.

Right, because the gold standard for proof in the security field is "we never had [read: noticed] an issue."

latchkey 1 day ago

It was code written in 2009 and private, not open source and I of course didn't take it with me when I left the company. I ran it for 4 years and we never had a single security incident. We took it very seriously. Partly because our code (in Java) was a rewrite from some really buggy PHP, that did in fact have a bunch of holes in it (and no testing).

You're also being absurd. We started this talking about golang testing and it has somehow gone off the rails to me having to prove things to you about XSS? Come on, what is with the hostility? Is this how you treated people while working at Google?

tmoertel 1 day ago

I'm only asking you to show me how you'd write tests to detect XSS (or concurrency) problems. In Go or the language of your choice. You've claimed that writing tests as all you need. I'm asking you to show how it's done. Just in general. No need to share actual code you've written in the past.