Slashdot Mirror
Ask Slashdot: How To Work On Source Code Without Having the Source Code?
occamboy writes: Perhaps the ultimate conundrum!
I've taken over a software project in an extremely specialized area that needs remediation in months, so it'll be tough to build an internal team quickly enough. The good news is that there are outside software engineering groups that have exactly the right experience and good reputations. The bad news is that my management is worried about letting source code out of the building. Seems to me that unless I convince the suits otherwise, my options are to:
1) have all contractors work on our premises — a pain for everyone, and they might not want to do it at all
2) have them remote in to virtual desktops running on our premises — much of our software is sub-millisecond-response real-time systems on headless hardware, so they'll need to at least run executables locally, and giving access to executables but not sources seems like it will have challenges. And if the desktop environment goes down, more than a dozen people are frozen waiting for a fix. Also, I'd imagine that if a remote person really wanted the sources, they could video the sources as they scrolls by.
I'll bet there are n better ways to do this, and I'm hoping that there are some smart Slashdotters who'll let me know what they are; please help!
I've taken over a software project in an extremely specialized area that needs remediation in months, so it'll be tough to build an internal team quickly enough. The good news is that there are outside software engineering groups that have exactly the right experience and good reputations. The bad news is that my management is worried about letting source code out of the building. Seems to me that unless I convince the suits otherwise, my options are to:
1) have all contractors work on our premises — a pain for everyone, and they might not want to do it at all
2) have them remote in to virtual desktops running on our premises — much of our software is sub-millisecond-response real-time systems on headless hardware, so they'll need to at least run executables locally, and giving access to executables but not sources seems like it will have challenges. And if the desktop environment goes down, more than a dozen people are frozen waiting for a fix. Also, I'd imagine that if a remote person really wanted the sources, they could video the sources as they scrolls by.
I'll bet there are n better ways to do this, and I'm hoping that there are some smart Slashdotters who'll let me know what they are; please help!
Perform solid background checks and pay the employees enough that you can trust them.
You have to be able to trust your employees. Onsite requirements will not aid in this.
Note: Also... I am also misunderstanding why you can not have them remote into "local" boxes onsite, and run/execute the code from there. That code should execute in exactly the same manner as a local system running the code.... the remote contractor screens might take a little time to update.... but largely should be identical to physically being onsite.
Speaking as a contractor, I'll work on site if you insist. You're the boss. Provide me with equipment and coffee, and I'll suck it up.
We're whores. We want your money. We don't care if your demands are stupid, as long as we can meet them.
You can do the onsite thing, but you are right in that you will limit the groups which may be interested, and also you may need to pay more as the group may include the cost of hotel stays, food, etc in their quote for doing the work. So you can limit your potential personnel and it can cost more.
If you do the remote thing, they don't have to log into virtual desktops, they can log into real hardware just as well if performance is an issue.
Also, "I need you to fix my source code but you can't see it" ... that's kind of a paradox.
And regarding your source code, set up a NDA. If the group you contract with is a quality group with a good reputation, this shouldn't be a problem. Actually I hate to break it to your management, but unless you are doing an air gap/search of employees entering a special lab where they have no means of getting the code off (floppies, USB keys, etc), your source code has likely left the building one way or another, for good or ill.
You can also tell your management that if they want to do this all internally, etc that the timeline needs to be extended. They are giving you legitimately contradictory constraints. Not that this is uncommon (constraints conflict all the time), but you need to know where the flexbility is.
Your boss needs to understand that whether they access source at home or at work, they'll have access to source. You can't put those worms back in the can. Traditionally, a condition of employment is to not put the company's intellectual property at risk. This is true regardless of the work arrangement.
That said, there is precedent for having developers work from a citrix farm. And yes, there are reliability challenges. Whether this is practical depends on how good your IT is.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Any sort of remote access to do work is basically the same as letting the code out of the building
I can attest to this.
I have worked for large corporations that utilize proxied access to the Internet and locked down removable media.
It was still trivially easy to circumvent by using PuTTY to open an SSH tunnel over 443 to my home network, then using port forwarding to open an RDP session to an internal Windows box (complete with file transfer and drive redirection).
I really just wanted to see if it could be done more than anything else.
PuTTY turns out to be on the approved executable list of every place I have worked.... Hey, if you give me the tools.... *shrug*
My eyes reflect the stars and a smile lights up my face.
https://www.youtube.com/watch?...
I think this is what OP was referring to.
putting the 'B' in LGBTQ+