While free/libre and open source software (FLOSS) is critical to global computing infrastructure, the maintenance of widely-adopted FLOSS packages is dependent on volunteer developers who select their own tasks. Risk of failure due to the misalignment of engineering supply and demand -- known as underproduction -- has led to code base decay and subsequent cybersecurity incidents such as the Heartbleed and Log4Shell vulnerabilities. FLOSS projects are self-organizing but can often expand into larger, more formal efforts. Although some prior work suggests that becoming a more formal organization decreases project risk, other work suggests that formalization may increase the likelihood of project abandonment. We evaluate the relationship between underproduction and formality, focusing on formal structure, developer responsibility, and work process management. We analyze 182 packages written in Python and made available via the Debian GNU/Linux distribution. We find that although more formal structures are associated with higher risk of underproduction, more elevated developer responsibility is associated with less underproduction, and the relationship between formal work process management and underproduction is not statistically significant. Our analysis suggests that a FLOSS organization's transformation into a more formal structure may face unintended consequences which must be carefully managed.

翻译：尽管自由/开源软件（FLOSS）对全球计算基础设施至关重要，但广泛采用的FLOSS软件包的维护工作依赖于自行选择任务的志愿开发者。工程供需失衡导致的失效风险（即"生产不足"）已引发代码库退化，进而导致如Heartbleed和Log4Shell漏洞等网络安全事件。FLOSS项目虽属自组织形态，但往往可能扩展为规模更大、形式化程度更高的工程体系。尽管先前部分研究表明，提升组织的形式化程度能降低项目风险，但另一些研究指出形式化可能增加项目被弃置的概率。本研究聚焦形式化结构、开发者责任与工作流程管理三个维度，评估生产不足与形式化之间的关系。我们分析了通过Debian GNU/Linux发行版提供的182个Python编写软件包，发现：尽管更形式化的结构与更高的生产不足风险相关，但开发者责任的提升反而与更少的生产不足现象相关，而形式化工作流程管理与生产不足之间的关联在统计上并不显著。本分析表明，FLOSS组织向更形式化结构转型可能面临需要审慎管理的非预期后果。