The Routinization of Open Source Project Engagement: The Case of Open Source Risk Management Routines

As organizations increasingly use open source software, they inevitably routinize open source project engagement to manage new open source risks. We explore the software package data exchange (SPDX) standard as a key open source product for routinizing the work that open source risk management entails. The development and subsequent adoption of SPDX raise the questions of how organizations participate in SPDX to routinize open source work to better integrate with their own open source risk management routines, how organizations make sense of SPDX when improving their own open source risk management routines, and how a community benefits from the experiential knowledge that organizational early adopters contribute back to it. To explore these questions, we conducted a single-case, multicomponent field study in which we connected with individuals who helped to develop and later employed SPDX in their own organizations. Our results contribute to explaining how organizations routinize open source project engagement by observing organizational commitments to routinize aspects of open source risk management through communal interactions, organizationally specific interpretations, and deployments.