Ask HN: Why do tests run in production repos?

2 pointsboldi2y ago2 comments

In light of the recent xz backdoor, I was wondering what the potential use, if any, there is in shipping test folders in release/production branches? Wouldn't it seem more reasonable to have a separate "dev" branch to have the tests of folders?

2 comments

austin-cheney2y ago

Unrelated. Test automation is not an indicator of insecurity. If the mere presence of tests expose security vulnerabilities your product is insecure irrespective of the tests. In these cases fix the security problems.

I have always shipped test automation in production with my personal software. It allows users to independently validate the health of the product in their own operating conditions and write better more precise defects.

TacticalCoder2y ago

> If the mere presence of tests expose security vulnerabilities your product is insecure irrespective of the tests.

Wait... I may be misunderstanding but in the xz backdoor we just had, had the tests not be ran in prod, the attacker would have had no way to ever ship its mandatory evil binary payload and the attack would have been stopped dead in its track.

I'm very surprised to see this dismissed as "unrelated" when not including the test files in the prod environment would have prevented that exploit.

At least as I understand it.

j / k navigate · click thread line to collapse