Score
Working in open source requires understanding licenses and governance, using git/GitHub workflows (issues, pull requests, CI, code review), writing tests and documentation, and engaging in maintainer processes such as triage, contribution guidelines and release management to contribute or run public projects.
This study addresses the challenges of open-source software governance, where ambiguously defined roles and permissions often lead to unclear accountability and excessive burdens on core maintainers. For the first time, it systematically analyzes governance documents such as GOVERNANCE.md in GitHub projects, applying institutional grammar to structurally dissect roles in terms of their scope, authority, obligations, and lifecycle. The research uncovers a phenomenon termed “role drift” and identifies the “maintainer paradox”: while core contributors foster community engagement, they frequently become bottlenecks in governance. Empirical findings reveal substantial variation in responsibilities among identically named roles across projects and demonstrate that a small number of individuals often concentrate technical, managerial, and community-facing functions. These insights provide critical foundations for improving role design and enhancing the sustainability of open-source communities.
License compliance for open-source components is critical in software development, yet developers frequently face legal and reputational risks due to challenges in license identification, unclear understanding of downstream obligations, and inadequate tooling support. This study presents the first interdisciplinary empirical investigation jointly conducted by software engineering and legal experts. Through 58 surveys and 7 in-depth interviews with practitioners, it systematically characterizes developers’ compliance practices, core challenges, and current tool usage. The analysis yields 15 key findings—including frequent license misclassification, breakdowns in cross-role collaboration workflows, and poor comprehensibility of legal terminology—highlighting critical gaps between legal requirements and developer cognition. Based on these insights, the study proposes empirically grounded design principles for developer-centric compliance tools and actionable policy recommendations. It thus provides a foundational evidence base for building human-centered, automated, and legally integrated compliance support systems.
The accountability, sustainability, and robustness of open-source projects remain poorly understood as they transition from founder-led governance to community-driven models. Method: Leveraging GOVERNANCE.md files from 637 GitHub repositories, we develop a scalable semantic parsing pipeline that systematically traces governance evolution—integrating version-control analysis, extraction of institutional roles/behaviors/permissions, and clustering-based modeling. Contribution/Results: We find governance maturation does not stem from discursive shifts but from progressive responsibility layering and refinement: persistent role and behavioral differentiation, increasing clarity of oversight functions, strengthened ecosystem-level collaboration, and growing regulatory balance. This work establishes the first large-scale empirical framework and reusable methodology for studying governance evolution in open-source digital public infrastructure.
This study addresses the lack of systematic understanding regarding the evolution of GitHub Actions workflows. Through a mixed-methods approach, we conduct the first large-scale empirical analysis of over 3.4 million workflow file versions from more than 49,000 repositories spanning November 2019 to August 2025. We identify seven categories of conceptual changes and find that repositories typically contain a median of three workflow files, with 7.3% of workflows modified weekly—approximately 75% of which involve only a single change, predominantly in task configuration and specification. Our findings further indicate that current large language model (LLM) tools have not yet significantly influenced workflow maintenance frequency, offering empirical grounding for the design of fine-grained automated maintenance tools.
This study investigates how data protection regulations (e.g., GDPR, CCPA) impact open-source software (OSS) development practices, focusing on the reporting, discussion, and resolution of personal-data-related issues in GitHub projects. Using an exploratory empirical approach—combining inductive thematic coding, annotating reporter roles and issue states, and conducting relevance-based statistical analysis—the authors systematically identify six recurrent categories of data protection issues. Results show that such issues are predominantly reported by non-core contributors; resolution rates are low and rely heavily on non-technical negotiation rather than code-level fixes; and a structural tension exists between regulatory compliance requirements and OSS development culture. This work is the first to empirically demonstrate how data protection obligations are substantively embedded within OSS development workflows, thereby bridging regulatory compliance and OSS engineering practice. It provides foundational evidence and design insights for developing compliance-aware open-source governance mechanisms.
GitHub’s CODEOWNERS feature automates code review responsibility assignment, yet its real-world adoption and impact remain poorly understood. This paper presents the first large-scale empirical study, analyzing 840,000 pull requests (PRs) and 2 million review logs across 2,147 open-source projects using Regression Discontinuity Design (RDD) to causally quantify CODEOWNERS’ effects. Results show that CODEOWNERS significantly improves review timeliness and coverage while reducing review burden on core developers; promotes more equitable ownership distribution and accelerates PR integration; and functions as a novel software governance mechanism that enhances project security and collaborative resilience. Collectively, this work demonstrates that automated ownership assignment substantively reshapes both collaboration efficiency and governance structures in open-source development.
This study addresses the challenge of accountability in open-source software ecosystems, where the often-conflicting demands of diverse stakeholders—including volunteers, corporations, and end users—hinder communities’ ability to effectively identify and fulfill their responsibilities. For the first time, this work systematically focuses on the issue of accountability in open source, convening a cross-disciplinary workshop at Carnegie Mellon University with 24 domain experts to foster qualitative dialogue between researchers and practitioners. The project proposes a stakeholder-centered accountability agenda, articulates key research questions, and outlines an initial roadmap to guide future scholarly inquiry and community practice in this critical area.
This study addresses the significant burden developers face in authoring and maintaining GitHub Actions workflows, stemming from a lack of systematic understanding of real-world automation and reuse practices. Through a mixed-methods approach combining a survey of 419 practitioners with qualitative and quantitative analysis, this work presents the first developer-centric characterization of common automation tasks, patterns of reuse mechanism adoption, and maintenance pain points in workflow development. The findings reveal that while developers heavily rely on reusable Actions, they seldom adopt reusable workflows; version management challenges lead to rampant copy-pasting; and critical aspects such as security and performance monitoring remain under-automated. These insights provide empirical foundations for improving CI/CD toolchains and reuse mechanisms.
Existing research often treats open-source software as a homogeneous entity, overlooking its inherent heterogeneity in objectives, governance, and funding, which leads to unwarranted generalizations. Addressing this gap, this study conducts a multi-source, lightweight systematic literature review of 3,925 papers to develop the first taxonomy of open-source software comprising 14 distinct subtypes. It further proposes an integrative analytical framework that combines driving factors, governance models, and funding sources. The research identifies theoretically significant yet empirically underexplored categories—such as “multi-corporate coopetition” and “protest software”—and maps a comprehensive typology encompassing both mature and emerging subtypes. This work establishes a foundational basis for future research on differentiated dynamics and cross-type transferability within the open-source ecosystem.
This study addresses how employers evaluate the value of open-source contributions by computer science students in the generative AI era, where hiring criteria increasingly emphasize non-technical competencies. Method: We conducted interviews with 65 U.S. hiring managers to identify core competencies for entry-level roles in early 2025—particularly initiative—and developed the novel “Hiring Manager Protocol”: a behaviorally grounded framework translating employer expectations into concrete open-source practices. Using thematic analysis and an Expectancy-Value Theory–informed survey (N=650), we assessed perceptions and motivational impacts. Contribution/Results: Employers assign high value to tacit competencies demonstrated through open-source participation. Publicly sharing the Protocol significantly increased student motivation to contribute (p<0.01). This work establishes the first empirically grounded linkage between employer requirements and student open-source behaviors, proposing an actionable educational intervention model. It provides evidence-based guidance and mechanism-level innovations for universities seeking to incentivize open-source engagement and align computing education with labor-market demands.