GitHub alternatives for projects with compliance requirements

[Rémi Rampin]

2022-07-13 17:33 UTC-04, Adrian Edwards <photoace12 at icloud.com>:
> Given the the GiveUpGitHub campaign page asks the most
> comfortably-situated large projects to give up GitHub first, I was
> wondering if there were any FOSS options out there to provide some
> competition for GitLab for enterprises with compliance requirements that
> they have to meet, such as SOC2, ISO 27001, ISO 13485/QMS .etc. I have
> heard about these kinds of standards in recent StackOverflow podcasts
> and am curious if there are options for companies that want to support
> free and open software but don't have the ability to choose freedom and
> openness at the expense of regulatory compliance.
>
> Is it just a choice between GitHub and GitLab at this stage or are there
> other options?

Hi,

Those seem to be certifications for organizations (and devices), not for
software. I don't think a piece of software like Gitea or GitLab can be
certified for any of this, only an organization running it for you (platform as
a service) could possibly get certified, like github.com or gitlab.com.

The only platform I know that is running open source software commercially is
SourceHut, however it is still in alpha. I don't know if they will want to get
certifications but surely that would come later.

I don't think an organization running a platform as a free service could get a
certification. Beyond the price requirement and the strong requirements on
staff (those organizations often don't have paid staff), I am not sure this is
something that could kick in without some sort of contractual relationship with
you the user.

You could certainly run the software in-house and get any of those
certifications though, if nothing else by hiding it inside a private network.

--
Rémi