Engineering Formality and Software Risk in Debian Python Packages

While free/libre and open source software (FLOSS) is critical to global computing infrastructure, the maintenance of widely-adopted FLOSS packages is dependent on volunteer developers who select their own tasks. Risk of failure due to the misalignment of engineering supply and demand – known as underproduction – has led to code base decay and subsequent cybersecurity incidents such as the Heartbleed and Log4Shell vulnerabilities. FLOSS projects are self-organizing but can often expand into larger, more formal efforts. Although some prior work suggests that becoming a more formal organization decreases project risk, other work suggests that formalization may increase the likelihood of project abandonment. We evaluate the relationship between underproduction and formality, focusing on formal structure, developer responsibility, and work process management. We analyze 182 packages written in Python and made available via the Debian GNU/Linux distribution. We find that although more formal structures are associated with higher risk of underproduction, more elevated developer responsibility is associated with less underproduction, and the relationship between formal work process management and underproduction is not statistically significant. Our analysis suggests that a FLOSS organization's transformation into a more formal structure may face unintended consequences which must be carefully managed.