I feel like you’re being unnecessarily confrontational.
You wrote “changes that hit production were reviewed by another developer. This isn’t something we were doing…”
I cited PR as an example of a change and you’re acting like I’m trying to argue that PR reviews alone stop insider threats. (I’m not.)
There are lots of way to change production. To me it looks like you said effectively one person could do so without being checked by another person. To me that sounds like a hole for problems to drive through. And that SOC2 was the impetus for you to tighten it.
If I’m wrong, you can take it as feedback on your writing, I guess. You know what you wanted to write; I’m telling you what I read.
Or you can just treat me like I’m an idiot if you want. I don’t think I’m an idiot, and I’m not the only person you’re being combative with.
The commenter above constructed a supercilious put-down based on an uncharitable reading of the post, where the most direct and technically accurate response would have required me to cut against the point the post makes, which is that in a showdown between SOC2 and a mature, well-thought-out dev process, the dev process can and should win.
I'm comfortable with what I brought to the thread in response. If you detected contempt, well, you're not wrong. But it's for the comment, not the commenter, who I assume was just having a bad day, like I (in a way) was.
You obviously wanted a more charitable reading from me; please return the favor. I did not set out in bad faith to make you look bad. I read something surprising and took it seriously—dumb me, I guess.
Miss me with this stuff. You chose the words "honestly flabbergasted", not me.
Part of the ethos of "we're not doing stupid stuff for SOC2" and "we're going to be direct about how this stuff works so other people can hopefully benefit" is assuming that we're all reasonable adults who want to understand how SOC2 works, and aren't looking to score dunks off unintended subtext.
