GitHub alternatives for projects with compliance requirements

[Adrian Edwards]

Ah right. I'm definitely not as familiar with these certifications as I 
probably should be, but your explanation makes sense.

I agree that its not going to be practical for a FOSS project like gitea 
to offer a hosted service for free and get certified themselves. I think 
my original question probably could have been better phrased as "are 
there any FOSS forges (like GitLab) with features that organizations can 
buy into/use to help them meet their own compliance requirements while 
supporting FOSS?"

I think GitHub has an "enterprise cloud" offering 
(https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-enterprise-accounts) 
that might support this (and happens to be hosted by them). It seems 
like GitLab also has similar features for their paid enterprise tier 
(https://about.gitlab.com/pricing/).

Since all of GitHub and the enterprise tiers of GitLab are famously 
closed-source, I'm curious if there are any other forge platforms that 
exist (bitbucket?) that can provide competition and more 
(libre-friendly) choices than just GH/GL for users where such compliance 
requirements are a must-have even if it costs money (which is reasonable 
for enterprise use IMO)

Hope that makes more sense. Apologies for the confuzion and 
misunderstanding of how compliance requirements work.

Adrian

On 7/13/22 19:39, Rémi Rampin wrote:
> 2022-07-13 17:33 UTC-04, Adrian Edwards <photoace12 at icloud.com>:
>> Given the the GiveUpGitHub campaign page asks the most
>> comfortably-situated large projects to give up GitHub first, I was
>> wondering if there were any FOSS options out there to provide some
>> competition for GitLab for enterprises with compliance requirements that
>> they have to meet, such as SOC2, ISO 27001, ISO 13485/QMS .etc. I have
>> heard about these kinds of standards in recent StackOverflow podcasts
>> and am curious if there are options for companies that want to support
>> free and open software but don't have the ability to choose freedom and
>> openness at the expense of regulatory compliance.
>>
>> Is it just a choice between GitHub and GitLab at this stage or are there
>> other options?
> Hi,
>
> Those seem to be certifications for organizations (and devices), not for
> software. I don't think a piece of software like Gitea or GitLab can be
> certified for any of this, only an organization running it for you (platform as
> a service) could possibly get certified, like github.com or gitlab.com.
>
> The only platform I know that is running open source software commercially is
> SourceHut, however it is still in alpha. I don't know if they will want to get
> certifications but surely that would come later.
>
> I don't think an organization running a platform as a free service could get a
> certification. Beyond the price requirement and the strong requirements on
> staff (those organizations often don't have paid staff), I am not sure this is
> something that could kick in without some sort of contractual relationship with
> you the user.
>
> You could certainly run the software in-house and get any of those
> certifications though, if nothing else by hiding it inside a private network.
>