Aren't those about organizational processes instead of just specific software features? For example, I don't think self-hosting gitlab is enough to claim ISO/IEC 27001, just based on this snippet from wikipedia:
> ISO/IEC 27001 requires that management:
> Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
> Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
> Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
I don’t know if Gitlab is an industry standard, but I’ve never heard of Forgejo. I worked for a headless CMS company and the only three providers we ever had requests for were GitHub, Bitbucket, and Gitlab. Gitlab is big enough to be generally adopted by governments. I think it’s fair to say it’s at least a lot closer to being an industry standard then Forgejo.
(Aside: I would likely never use Gitlab by choice, and would consider looking into Forgejo)
Probably because those are service providers and Forgejo is software. Same reason people ask for Microsoft account and Google account integration, but nobody ever asks for Linux account integration in your cloud software.
one reason (among others) — compliance.
a corporate/b2b saas environment without stuff like this is often a non starter.
- SOC2
- ISO/IEC 27001:2022
- ISO/IEC 27017:2015
- ISO/IEC 27018:2019
- VPAT 508
https://about.gitlab.com/security/
no mention of these on the forejo site, so i can’t put “our internal software is all SOC2/ISO NUMBER compliant” as a bullet point on a slide deck.
it is theatre. but it’s industry theatre.
Aren't those about organizational processes instead of just specific software features? For example, I don't think self-hosting gitlab is enough to claim ISO/IEC 27001, just based on this snippet from wikipedia:
> ISO/IEC 27001 requires that management:
> Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
> Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
> Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
> I don't think self-hosting gitlab is enough to claim ISO/IEC 27001
probably not. but it does mean you can focus on the rest of your stack rather than having to go through every single process from the ground up.
I don’t know if Gitlab is an industry standard, but I’ve never heard of Forgejo. I worked for a headless CMS company and the only three providers we ever had requests for were GitHub, Bitbucket, and Gitlab. Gitlab is big enough to be generally adopted by governments. I think it’s fair to say it’s at least a lot closer to being an industry standard then Forgejo.
(Aside: I would likely never use Gitlab by choice, and would consider looking into Forgejo)
Probably because those are service providers and Forgejo is software. Same reason people ask for Microsoft account and Google account integration, but nobody ever asks for Linux account integration in your cloud software.
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
Popularity.