REM State

I recently read about Ohloh on Slashdot and thought, “Wow — that’s almost useful.” Unfortunately, SLOC is a sloppy count of productivity no matter how you cut it. I think that there’s a much better idea hiding in there — in fact, I wrote one of my final college papers on the topic. For those of you who follow my posts here, I’m sure you know that I’m a quality assurance person; metrics are what I do. You have to have metrics that properly reflect what’s happening, otherwise you can’t make good choices. SLOC is a bad metric, because its meaning can vary too much. However, security vulnerabilities and (more generally) bugs are a much more concrete measure of how good a dev is.

Have a read through the full paper. It’s been a couple years since I’ve touched the topic, but this methodology is used both to rate the quality of code, and rate the quality of auditors, and can be used to rate the quality of the coders (shame on them if they accepted bad patches from someone else :).