90/10 rule of project management

The biggest thing that annoys me about software development is how projects really drag out near the end. It feels like you get so much done at the start, then progress really grinds to a halt. So early on, you think you are way ahead of schedule, then all of a sudden you feel like you are behind. Even when you get an extension, no matter how little is left, it seems to drag to take the allotted time.

I do think I am terrible for dragging tasks out. It’s easy to look at the time and think “ah it is 3pm, may as well keep testing this rather than moving onto the next task”.

As well as Parkinson’s Law, I was reading that there is what is known as the “90/10 rule of project management”. This is where the first 90% is completed in 10% of the time, but the last 10% takes 90% of the time. So it seems it’s not just me that thinks this is a phenomenon.

So let’s think why this is:

Putting off the unknown until the end

To maintain progress, it is much more tempting to pick up the work with the clearest requirements, and leave the uncertain ones to the end. Even when there is a Product Owner prioritising the work, they are often swayed by the Developer’s opinion. Also, there can be potential work you uncover when looking at what the code currently does and you think “I’ll investigate that later”. When you eventually get around to it, it turns out to be a “can of worms”.

Last-minute changes:

No matter how much you plan, there will usually be some last-minute changes since the customer can change their mind. With “scope-creep”, that last batch of work has become larger. In a similar fashion, you could be implementing a feature but then discover there’s other features that need changing to be compatible – so over time, more requirements are discovered.

“Resources”:

Over time, other projects or bug fixes suddenly increase in priority and you can find yourself with (at least temporarily) fewer team members. I also find that people may delay their annual leave during the time when they feel most excited about the project, then when it starts to drag, they then take it. Managers can also think “ah, that project is nearly finished, we can take a developer away and put them on a new project”.

Lines of code

If you imagine starting a new project from scratch, and think of a fairly straightforward feature like a dialog with several text boxes. You can quickly code the UI and the server code to save the data to the database. But then when you come to test it, you realise that resizing the dialog doesn’t scale. So you make a few tweaks. What about users that only use the keyboard? So you add the tab order, some accelerator keys etc. What about invalid data entry? So you add some extra checks and appropriate error messages. Ok, what about automated tests, so you do some refactoring and add some tests. The manual testers find a bug that a certain scenario doesn’t work. So with this example, it is easy to understand that the dialog can be 90% complete really quickly, but that extra 10% to perfect it took a long time, and maybe some delays occurred communicating back and forth with the Testers and Product Owner in order to finalise the work.

But we can take this explanation further.

A few weeks later, you need to add a feature that interacts with this code. You might need to re-familiarise yourself with the code, re-reading several files, and your changes need to not break any existing feature. Now imagine this kind of sequence happening over many months. The codebase increases in size and complexity, and the constant refactoring might mean that files you remember with a certain name have now drastically changed, moved or been deleted. Development is far slower now for most features, and even bug fixes could involve stepping through more lines of code in order to diagnose and fix. So I’d say productivity drops proportional to the size of the codebase.

Acting like computer game characters

Conner Mather

Conner pretends to be a NPC (Non Playable Character) from a computer game. His rigid walking and limited gestures and speech are hilarious. His content is mainly under 1 minute long to qualify as a Youtube short.

Kommander Karl

I recently discovered Kommander Karl. He mainly does gun reload videos. He pretends household objects are guns in first-person-shooter computer games, and reloads them, often with the help of some great video editing and fancy effects. Here are some of my favourites so far:

Gun

Ragdolls

Game Glitches

NPC

Office tour, but it’s an adventure game

Learning Unity

Several years ago, I tried learning Unity (games development) but it took a long time to pick up the basics. I’ve been meaning to give it another go, and when Code Monkey (a Youtuber I did subscribe to) announced he was making a 10 hour free course, I thought it’s the perfect time to jump in.

Following along, rewatching and experimenting with what I was learning took ages. I ended up dedicating many weekends and a couple of hours each day to complete it.

It’s a basic Overcooked-style game. If you want to make it, you do need to sign-up to Code Monkey’s website https://unitycodemonkey.com/kitchenchaoscourse.php to download the assets (graphics and a bit of audio).

If you want to play it, you can get it on Steam for free. https://store.steampowered.com/app/2275820/Kitchen_Chaos__Learn_Game_Development/

A few days ago, Code Monkey released part 2 of his free course! This time he adds multiplayer. I haven’t watched that one, but have added it to my Watch List.

I have: many Youtube videos; websites; books from Humble Bundle to go through, so I’ll keep at it.

How Everything We’re Told About Website Identity Assurance is Wrong

Troy Hunt, the cyber security expert, has a great blog on website certificates (DV/EV) which is worth a read:

https://www.troyhunt.com/how-everything-were-told-about-website-identity-assurance-is-wrong/

The TLDR is as follows:

He discusses false advertising in regards to extended validation (EV) certificates. Websites which had it used to show the green URL bar, but now browsers don’t do this.

Now you are supposed to click the padlock icon and inspect the details, but different browsers show different things.

If it shows the name of the company that issued the certificate, how do you know you should trust them?

“EV only works if people change their behaviour in its absence and clearly, that just doesn’t happen”
Troy Hunt

People now use mobile devices to browse the internet, and the security information is even more hidden in the browser. On iOS, you have to download a separate app!

Even “website checkers” are misleading.

A site seal is just an image, and therefore can be spoofed. Troy has registered digicert-secured.com to troll DigiCert and is still up a year later. It has a nice picture of a seal (animal).

Example of a bad project led by a Principal Developer

Intro

One problem we often talk about at work, is that software projects are sent to be Code Reviewed a month before release, and they often get torn apart. This is because many people at the company don’t seem to like doing code reviews, or aren’t good at critiquing code.

As the project goes along, each check-in requires review but the review is done within the team. When the project is complete, and needs to be merged into the Release branch, the review is done by people outside the team (by people of higher skill, or by people who review under more scrutiny).

It’s still strange when the project is led by a senior, but is then torn apart at the final Code Review stage. Or in this case, that I am covering today – Gerald, a Principal Developer; someone who you would consider an “expert”. 114 comments were left on this particular project.

Some comments were coding standard violations (but given the Principal has several years experience working here, it was hard to believe he overlooked them), general bad formatting, code comments left in code, loads of mutable classes (bad design, but often very easy to fix), then a few classes spamming the error log (we have a separate problem which another development team are trying to fix – about monitoring storage too high, mainly down to excessive/unnecessary logging)

Problems

Excessive Logging

Me
Is this creating 6 log entries per call?

Gerald 
Yes , maybe even 7, but that's if the config value is set to debug. We have turned off by default

Sean
How do you change the logging level? Do you need a new release to change it? What is your plan for changing it?

Me
shouldn't it just create 1 row with all the information in?

A single entry would be good, I point out it is excessively adding 6 rows per call, and he is like “no! you are wrong, it is worse than that!”

In another part of the code, Sean flags up the same problem. Weirdly, he then agrees it is a very bad thing to do, and his tone sounds like it is an obvious thing. Wasn’t he leading the team? why didn’t he notice the problem during the months he was working on it?

Sean 
Won't this write a lot of entries to the Error Logs?
We are actively trying to stop that

Gerald 
the audit logger can be turned off.
I agree here though we could not write to monitoring if there's no records

Sean 
There's an ongoing project to stop that amount of unnecessary, unused and ignored things to the error logs.

Gerald 
Agreed. especially from the client. because that clogs up networks - a lot worse than this.

Does the code work?

//Would this work? Or how do we get the organisation ID?

He left this code comment in the code he sent to review. If the comment is doubting that it works, what confidence do I have? Instead of writing any words, I send a simple emoji. 👀

Gerald 
Not sure what this comment means, could you please elaborate

Sean 
Might be the fact that there's a question in the code asking if it works or not.
What a cliff-hanger.... Well does it? 😄

Gerald 
I'll remove the comment. Thanks for clarifying Sean.

Gerald 
Removed the comment. I think the team was not aware that we can get the organisationid from the usercontext.

Why did it need clarifying? Did he even read the line I commented on? why do we need to explain that a comment like that shouldn’t be in code we send to production?

YAGNI

There’s a software development principal known as YAGNI: You Ain’t Gonna Need It. It’s about only writing features you know you need. If you write features that aren’t used, any code changes you make need to support this feature. It’s a maintainability problem. There were actually a few instances of this in his project, although it was a case of maintaining obsolete code.

Changing obsolete code just in case it is used, but yet it wasn’t tested because it wasn’t used…

Sean 
This looks like dead code...

Gerald 
Yes on the off chance it was used, we now redirect to the new stored procedure

Sean 
How did you test it?

Gerald 
We spoke to the other team and they said it wasn't used, so no testing required. I am sure.

Sean 
So you leave it in case it is used, but don't test it because it isn't?

Gerald 
Yes sort of. In case this was ever resurrected the change was there for them to use

Sean 
It won't be

Not knowing which server runs his code

I also found it odd that he thought some of the code was run on the Scheduler, when in fact the Scheduler never has much logic; its role is to send “jobs” to the Application Servers to process them. Therefore, the code his team wrote is executed on the application server…

Sean
There must be a better way than making a Remoting Call to get this information!

Gerald
We're stuck here. The enablement is on the Application Server. The scheduler service is running this, and we don't want to make direct DB calls.

Sean
No it isn't. This code is running on an Application Server

I was playing around with it

case when (BeforeXml is null and datalength(BeforeXml) = 5)

This code is always false. It cannot be null (empty) and also be 5 characters.

Gerald : Good spot I will make this change now. I was playing around with it

The Major Incident

After the project went out, the release got “Red Flagged” which means we have to produce an urgent fix, and the release is halted from the rollout.

“Please can we red flag the current release. Unfortunately the database Schema Patch 8037 altering the Audit table filled up TempDB (60gb+) resulting in the database server Failing over.”

The change he made seemed very rushed. From the Principal Developer’s own words, he said that managers were demanding the change as quickly as possible. He should know better from his experience. Which is better: a delayed but correct fix, or a rushed broken one which would cause yet another red flag?

His new, rushed fix was inefficient, mainly from not understanding LINQ-to-SQL. There were also some database changes which the logic was wrong, and there was a typo in the SQL script which would have caused it to fail.

If it doesn’t work, it’s not gonna get past testing, and won’t release on time anyway, so what is the point rushing it?

Sean: This can't be very efficient…

Gerald: Might need an index on that, but it's linq to sql - a mind of its own. i can try profiling this, but seems pressured to get this in

Sean:
And if you slow down the saving of new records, you will find even more pressure to get a fix out
Also, Linq-SQL doen't have a mind of its own…

Additionally, a tester had a look at his changes and pointed out yet another error in his new database patch. If Gerald had run his changes through the database tool we have, it would have flagged the error. Absolutely embarrassing. But that’s what you get for rushing.

4 Year Special: Derek

It’s been 4 years since I started writing this blog! how time flies.

The original inspiration for the blog was to tell stories about my incompetent colleague Derek. However, he left shortly after I started writing – so I didn’t end up writing many blogs about him.

After going through some old chat logs I found, I have dug up some extra stories, code snippets, and quotes.

“There’s a lot of duplication here, surprisingly. Functionally it is probably quite a big bag of spanners”
Derek

Hypocrite

When I first started working with Derek, I was telling my manager about the things he was doing and saying. My manager asked me how he is getting on to see if I had more stories to tell.

Matt:
How is Derek getting on?

Me 10:36:
on holiday, but he has spent a week or so sorting out some buttons. He has assigned two items to himself. 

So he complained that the User Stories were too big, so we have split them up a bit more. Yet he then assigns 2.

He hasn't sorted out all my comments I made on his last fix.

After Derek was making excuses that he wasn’t productive due to the size of our planned work, we split it into smaller chunks for his benefit. He then picks up multiple chunks in addition to also needing to rework his previous work. It seems we didn’t need to split the work up at all.

Redefining a boolean

bool hasSelectedReports = SelectedReports.Count != 1; 
bool noReportSelected = SelectedReports.Count == 0;

A boolean or “bool” for short represents true or false. Since there are two states, if you created a variable called “hasSelectedReports” you can invert it using the ! (not) operator, so saying !hasSelectedReports reads as “has no selected reports”. Derek decided to create a variable for the inverse, but then he got the logic wrong: If Count is 0, both hasSelectedReports and noReportSelected are true!

“I’m working from home today. Sorry I haven’t emailed sooner, I had some problems initially remoting in as my computer at work had a dicky fit.”
Derek

Pointless Conversion and check

return !String.IsNullOrEmpty(ConceptId.ToString()) ? ConceptId.ToString() : null;

ConceptId is defined as a long ,which is a number. It can represent any whole number between -9,223,372,036,854,775,808 to 9,223,372,036,854,775,807. It cannot be null/empty. By default it will be 0. Here, Derek converts the number to text (string) so he can take advantage of the IsNullOrEmpty method. If it is somehow null, we will return null… apart from if ConceptId was somehow null, calling ToString on it would crash.

If he really did want the text presentation of the number, this code should simply be

return ConceptId.ToString();

Pointless Conversion and check: part 2

if (!String.IsNullOrEmpty(conceptId.ToString()))
{
   	_conceptIdInt64 = Convert.ToInt64(conceptId);
}

Again, Derek decides to convert the number to a string so he can check it isn’t null. It is always true, so then goes into the code block. He then converts the long to an Int64. A long IS an Int64. It’s just an alias for it. So the code is completely pointless, other than assigning a simple variable.

“I may have taken too much artistic licence”
Derek

If at first you don’t succeed, try again

public Entity GetEntityFromConceptId(long conceptId)
{
  	return 
  	  	(EntityFinder.TryGetEntityFromId(conceptId)) != null 
  	  	? 
  	  	EntityFinder.TryGetEntityFromId(conceptId) 
  	  	: 
  	  	null;
}

When methods are named “Try”, it means that it might not be successful and can return “null”. In this case, TryGetEntityFromId returns null if you pass in a conceptId that doesn’t exist. So you should check for null, and do something different, maybe display an error message to the user. Although Derek decides to simply try again. Why would it work the second time?

(frustrated tone) I’ve spent 5 days on the same work item
Derek after 13 days trying to implement a simple feature. For the previous 3 days, during the daily stand-up meetings, he was saying he is “nearly finished and it’s pretty much ready to check in”

Conclusion

As you can tell from these stories, Derek made some bizarre choices and generally seemed deluded. There were times where I thought he had to be trolling, because there is no way you would write so much redundant code. I understand you can have bad days and have the occasional moments of madness, but it was a daily occurrence with Derek. For more stories about Derek, click the Derek tag.

Women In Tech: Software Developer Transition To Manager

Many years ago, I was listening to a podcast where a group of women were talking about their experiences in Software Development. I think Person A had started their own company so now didn’t do much development because they were now the CEO. Person B had switched to teaching software development and was going to take up a role as a “Developer Advocate” which I think is kind of a teaching role; making tutorials and promoting via social media. Then Person C seemed happy being a software developer.

In other blogs, I’ve briefly mentioned my observations with women in software development. I find there’s a much higher percentage of women that will desire to go into management, whereas many men seem to love the idea of a career constantly coding.

I’ve followed a few of the women from the podcast, intrigued where their careers would go. Person A and B are still CEO and Developer Advocate, respectively. Person C, who was happy being a software developer had apparently got their dream job at a big tech company early 2021.

“I’m so lucky I get to do something I love for a living”

Neary a year later, they announce they are taking a year out due to maternity. A few months later, they state how being a new mother has given them new inspiration as a software developer. I wasn’t sure if she had been coding in her free time, or was just posting for attention.

She claimed that she could:

“tap into new-found inspiration and creativity”
“think about more nuanced edge cases”
“Be more efficient”
“better at asking for help”
“better at asking the right questions”

The justification was that you have extra accountability, have to maximise how you spend time/money, ask for assistance when you struggle to support your child. It was quite tenuous and when people asked her to elaborate on how it really helps coding, she just accused them of “toxic masculinity”.

Only 2 months later, she announces that she applied to switch roles to become an Engineering Manager. Wait, what!? What happened to all that boasting about securing her dream role at her dream company? What about this new-found inspiration to be a better developer?

How can that mentality shift in such a short space of time?

“I kinda just fell out of love with coding”

People often say that social media gives people a skewed perception of people’s realities, because it is a filtered view: people only post the good stuff, and sometimes even modify the photos. If someone goes on holiday, you see the beautiful sunny beach, and the exciting scuba diving session. You don’t hear about the argument they had with their partner, or how they were bedridden with illness on the other days.

So was she lying about her love for coding? Were the development teams at this company not well suited to her mindset or ability?

When she did return from maternity leave, she then said he loved being a manager “way more than I liked being a software developer.”

I do find it odd that her mentality has always seemed to be focussed on promoting women in tech, and calling out “bro culture”, but then she has ditched being a developer and followed the stereotype of being a manager instead.

Password Discussion

In a previous blog, I wrote about some routine training courses we need to do each year. I briefly discussed some security questions but there is one example I forgot to add. One course we did, my manager was raging that he got one of the questions “wrong” and he seemed more annoyed that he knew this course was one that NHS staff must also do. He Googled the question to see if anyone was complaining, and he found a post on stack exchange.

The question is as follows

Which of the following would make the most secure password? Select one:

a. 6 letters including lower and upper case.
b. 10 letters a mixture of upper and lower case.
c. 7 characters that include a mixture of numbers, letters and special characters.
d. 10 letters all uppercase.
e. 5 letters all in lowercase.

The answer we went with is B, because it’s the answer that contains the most characters, and as a bonus, has a mix of upper and lowercase.

However, this is apparently wrong, and we should have chosen C.

The Stack Exchange user, Robin Winslow, then referred to the famous XKCD comic, which illustrates what is now commonly thought of as the best type of password.

The key thing is that a password is useless if the person cannot remember their own password, and forcing complexity at the expense of this fact means the person is then most likely going to write it down. Additionally, forcing certain types of characters into the password also makes it more predictable.

If you ask me to choose a password, I may choose a memorable word, eg “programming“.

If you tell me I cannot have that because it needs to have an uppercase letter. I could add another character, or choose a random existing character to be uppercase, but that makes it hard to remember, so I am gonna choose “Programming“.

Then if you tell me it needs to have a number. Again, I could add a number somewhere in there, or substitute a letter, but that can be hard to remember, so I am going to put it on the end. There could be a significant number to me, or I can just choose the number 1 and put it at the end, because that is easy to remember, or easy for me to guess that I did that. So now it is “Programming1“.

Exactly the same thing happens if you tell me it has to be a special character. Probably end up choosing “Programming!1“. It has more characters than my initial password of “Programming” but it’s at the expense of memorability.

Another aspect to consider is password expiry. At work, we used to have to change our passwords every three months, but now it’s currently six months. However, what’s my next password going to be? Probably “Programming!2”. So if the aim is to stop people accessing the system if they somehow got my old password, they still will get in because they can just guess the new one.

I wasn’t sure what the rationale was to change the expiry from 3 to 6 months because if you think it’s not a great feature, then you would just outright remove it. When the Head of Security started working for us, the first thing I saw him do was walk away from his laptop without locking it – so maybe that illustrates how good his skills are.

Troy Hunt points out that Microsoft’s latest policy is to not use expiry at all.

I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
— Troy Hunt (@troyhunt) October 6, 2022

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire
Microsoft Azure

Troy makes some follow-up points

Geez there’s some debate about this one! Mostly support but also some misunderstanding so let’s fill some gaps: Firstly, password managers don’t solve this problem, not when you’re talking about the credentials to logon to your PC. That’s a rare case where you need to type it…

…unless you’ve gone passwordless via security keys, biometrics etc. Clearly this negates the need to use the password with such frequency thus reducing the opportunity for compromise. There may still be a password (e.g., fallback from biometrics), but exposure is much less.

The argument of “well what if the password is exposed a year later” could just as easily be “well what if it’s exposed a month later” when there is a 90 day rotation cycle. Different windows of risk, so why not make the cycle a week? Because it’s painful…

…plus, the solution is the same: MFA. The usefulness of a password alone for AD login has dramatically reduced with the mass adoption of multi factor. Mandate it on your AD tenant and the value of rotation dramatically reduces.
Troy Hunt

Also, there are always ways around policies for those more-determined users

I used to be at a company that did that. Someone quickly came up with a script that changed the password ten times in a row and set it back to the original (last ten passwords were not allowed).
Kerry W. Lothrop (https://twitter.com/troyhunt/status/1578149402304094208?s=20&t=Uk9uhXXLK2vPj2EA_pE4uw)

I’m not sure I 100% agree on the “well what if the password is exposed a year later” point. Expiry does remedy that in some cases but no expiry will always leave you vulnerable. You are relying on knowing there has been a breach.

Troy Hunt has discussed that the best security involves a mixture of methods. It generally comes down to

Something you know
Something you have
Something you are

Aaron Toponce did recently post on Twitter about this, but his account has since been deleted. This is why dumping things into OneNote is useful. Troy Hunt has also discussed this idea many times.

Not sure what Taylor Swift has got to do with it. Maybe she pretends to be happy.

So if your account has all 3 types associated with it, even if someone knows your password, they cannot get in because they will need your token (Authenticator app on your phone). If they have managed to also steal your phone, then they can’t get in if they also need your fingerprint. If they are holding you at gun-point to make you unlock your account using your finger, then you have bigger problems.

Aaron’s musings was this:

If a password is stored in a password manager, is it still something known, or does it become something possessed? A password manager vault can be stolen.

Knowledge of where the passwords are stored and how to retrieve them then becomes “something known” and the vault itself “something possessed”. No?
Aaron Toponce

This has since become quite topical in the recent LastPass breach where keyvaults have been posted on hacking forums. If the master password is then cracked, then hackers will have access to many people’s accounts. I was always intrigued by password managers, but I did feel you really are putting your trust in one company.

State of Js

I drafted up this blog a year ago but never published it.

“State of JS” do an annual survey about Javascript, and one of the questions was about people’s favourite content authors.

In the 2021 survey, 2 out of 15 of these content authors were women, and some of the “Social Justice Warriors” aren’t happy about this, so one of them stated that the chart’s title should be simply “MEN”. Then she follows it up with highlighting the demographics of the people surveyed. 71.3% were men, 4% women, 0.9% non-binary, and everyone else refused to answer.

I think her point is that men are voting for men and thus perpetuating the “bro culture” that is holding back women like her.

If we assume that the survey does represent the proportion of developers (after-all, it is well known that the software development industry is mostly men), then I would say that should be proportionate to the number of public content creators too.

Therefore, we should only really expect to see 4% of women occupy the Top 15 Content Creators list. So what is 4% of 15? Isn’t it 0.6? So really, it’s not even that farfetched to expect all 15 to be Men.

It’s possible there are more women since there’s that large number of people who opted not to specify. However, around 492 women did respond, so there could easily be more women on that list. What’s that you say? Women are probably nominating men?! Unheard of!

I only learned some Web Development stuff HTML, Javascript, Typescript, React over a short period, and if you asked me to name some creators, I’d have probably named Dan Abramov, Wes Bos, Florin Pop, and Stefan Baumgartner and Cory House. Kent C. Dodds, Dan Abramov are big names in the field and the likes of Wes Bos have a huge following, have paid content, are very active on Twitter, and have a Podcast. So you expect these names to occupy the top spots of a list like this. Is it really perpetuating an exclusive culture?

I think it is just simple statistics. There’s no point lambasting StateOfJs for putting a survey out there. There’s no point attacking the men who responded that they didn’t vote for your friends.

I’ve written about a few occurrences like this. Deep down, these people think they are doing good by going on the offensive and “virtue signalling”, but all they are doing is creating a divide/toxic culture which is the opposite of what they actually want.

Note: It looks like there are 5 women on the latest survey https://2022.stateofjs.com/en-US/resources/. I wonder if this is linked to last year’s outrage, or mere coincidence.

Bug Bash

It’s been a while since we organised a “Bug Bash”. The general idea is to focus on fixing software bugs and clearing the seemingly ever-growing list. Sometimes managers have organised this as an optional thing over a weekend, or sometimes opted for a work week.

The problem I have with this idea is that with a strict deadline, you are encouraging people to rush. If you want to follow the usual process of a developer really understanding the bug (reading the bug report carefully, recreating the issue, analysing the code, coming up with a solution, testing it manually, maybe writing some unit tests for it), then going through the code review and testing process – then you are being really hopeful that it can be done in such a strict time-frame.

I find another developer will always have some opinion on your code, so you make a change, have to retest it and then get them to review it again. Then when coming to patch it on the test environment, you then might get problems with the build server or the test environment.

So the only bugs that are really appropriate for a Bug Bash are ones that are easily recreatable, quick to fix, and low impact. All the true high priority issues will have been addressed more urgently and put into the normal release process anyway.

What you have to bear in mind, is any change has some kind of risk that you might introduce another problem, and this increases when you try and rush the change out; which is what the Bug Bash inherently prioritises.

I was looking for an example of how managers sold the idea, and I found one that actually seemed a bit more thought out:

Next week we are to down tools on project work and spend the week stabilising our product.

Service have provided a list of 300+ issues they would like us to work through. In addition, Paul has been reviewing the Error Logs to identify the most frequently reported errors and is creating items for these.

The domain experts are currently reviewing the list and identifying the issues they feel can be fixed next week. These will be placed into the Stabilisation list.

The priority order for working these items is set by a temporary field ‘Bug Fix Priority’. 1 is the highest priority.

Each developer should select the next bug at the top of the list that is not currently being worked, change the state to Assigned, and Owner to themselves.

All Priority 1s must be completed first. If there are no defects you are comfortable fixing, please speak to me before moving on.

Each bug fixed must have supporting unit test(s) before being sent for code review.

At no point should a developer have more than 3 items they are involved with, this being 1 bug being worked on, 1 being code reviewed and 1 with the tester. If you’re waiting for a code review - go chase it. If you're waiting for a test to complete – go help out.

It is important to note the emphasis on this release is QUALITY.

With this in mind, the attached spreadsheet has been produced that maps a developer to someone who will review their code and DB changes. Where possible we have also mapped each developer to a test resource. The developer and tester jointly own the end to end process for each bug.

A kick off meeting will be held at 10am on Monday in Room 1 for all to attend.

Code Reviewers will hold daily stand-ups with their development and test resources which will then feed into a management review at 4 pm.

Darren
Development Manager

So, they have allocated a full week, tried to analyse the bugs to see if they are suitable to fix quickly, and they have emphasised it is about quality. However, they seem fairly strict on the order the bugs are addressed, so you may end up with developers being forced to pick up items in areas they don’t specialise in.

There was a follow-up email stating that there were issues with the build server which caused them to lose time.

All,

The plan is to finish coding tomorrow to allow test to complete on Friday.

With this in mind and as a result of build issues experienced yesterday we’re considering the possibility of overtime tomorrow evening to make up lost time.
Can you please indicate using the voting buttons by 12pm tomorrow whether you’d be available for overtime tomorrow evening.

We'll be ordering Pizza and a Beer too, to keep us fuelled 😉 It would be very much appreciated if you could stick around. Every bug fixed is giving our end users a better customer experience!

Thanks,

Darren

When Bug Bashs have occurred over the weekend, I think Developers and Testers have started at the same time, but they wouldn’t have had anything to test until mid-day at least – due to development time, code review time, then build and patch process. So the Testers will just be earning money for chilling out and eating pizza.

I found an instant messaging conversation with a colleague about a different Bug Bash:

Daniel 11:37:
one of the bugs on the list to be fixed in the bug bash was logged by me 5 years ago
so very urgent then

Me 11:38:
the bug bash isn't supposed to be for urgent issues

Overtime requests will only be approved for time spent on defects that are Fixed, Tested, PO Approved and Closed(Done)
 
So you could do some complex work, not get it done, and therefore not get paid

Daniel 11:42:
yeah I read that today
who's going to go for that
it's completely the wrong way to fix bugs

So this bug bash seemed to be for clearing down all the bugs that have just been ignored for years. The problem with old bugs like that is that you could spend time trying to recreate them, and find they are now obsolete due to other code changes, or obsolete features. The managers also decided they didn’t want to pay people for incomplete items, so you cold spend ages working on something and not get paid.

You could close the bug as obsolete – it’s not fixed so you don’t get paid
You could spend ages recreating it, coming up with a fix, but there’s not enough time for the rest of the process to actually complete it.
You could come up with a fix, but there’s a small bug found by the tester. You could persuade them to keep quiet so you both get paid.
You could come up with a fix, but build issues cause it to not get tested.

I think that every-so-often, you do need to analyse the list of bugs you have, and try and clear it down; either by fixing them, proving they are obsolete, or maybe just marking them as never intending to fix. A dedicated period of time is required but I would have thought a 2 week period is required at minimum in order to not cut corners.