While free/libre and open source software (FLOSS) is critical to global computing infrastructure, the maintenance of widely-adopted FLOSS packages is dependent on volunteer developers who select their own tasks. Risk of failure due to the misalignment of engineering supply and demand -- known as underproduction -- has led to code base decay and subsequent cybersecurity incidents such as the Heartbleed and Log4Shell vulnerabilities. FLOSS projects are self-organizing but can often expand into larger, more formal efforts. Although some prior work suggests that becoming a more formal organization decreases project risk, other work suggests that formalization may increase the likelihood of project abandonment. We evaluate the relationship between underproduction and formality, focusing on formal structure, developer responsibility, and work process management. We analyze 182 packages written in Python and made available via the Debian GNU/Linux distribution. We find that although more formal structures are associated with higher risk of underproduction, more elevated developer responsibility is associated with less underproduction, and the relationship between formal work process management and underproduction is not statistically significant. Our analysis suggests that a FLOSS organization's transformation into a more formal structure may face unintended consequences which must be carefully managed.

翻译：尽管自由/开源软件（FLOSS）对全球计算基础设施至关重要，但广泛采用的FLOSS软件包的维护依赖于自愿选择任务的开发者。工程供需错配导致的失效风险（称为欠产现象）已引发代码库衰退及随后的网络安全事件，例如Heartbleed和Log4Shell漏洞。FLOSS项目具有自组织特性，但常会扩展为更大规模、更具形式化的工程。虽然已有研究指出形式化组织能降低项目风险，但其他研究表明形式化可能增加项目被放弃的可能性。本研究评估了欠产现象与形式化之间的关系，重点关注形式化结构、开发者责任及工作流程管理三个方面。我们分析了182个用Python编写并通过Debian GNU/Linux发行版提供的软件包。研究发现：尽管更形式化的结构与更高的欠产风险相关，但更明确的开发者责任与更低的欠产风险相关，而形式化工作流程管理与欠产风险之间的关系在统计上不显著。我们的分析表明，FLOSS组织向形式化结构转型可能面临需谨慎管理的意外后果。