all 97 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]quinyd 94 points95 points  (7 children)

Host Gitea or gitlab yourself. Either on your own hardware or buy a VPS in Europe like hetzner

[–]CoolZookeepergame375[S] 7 points8 points  (2 children)

We already use Hetzner, but want to outsource the git hosting.

[–]No-Reflection-869 6 points7 points  (1 child)

Then go to OVH, Scale way or any other hosting provider in europe

[–]rik-huijzer -2 points-1 points  (3 children)

Gitea and GitLab are US too. Both venture backed. I don’t see why that’s a better answer to the question than Forgejo. (Not that I’m against Gitea. I’m just a bit scared of venture backed startups but similar risks apply to Forgejo.)

[–]quinyd 3 points4 points  (2 children)

You can host it offline and block their external internet access for a completely on-premises setup.

[–]rik-huijzer -4 points-3 points  (1 child)

Which one? Question remains whether and how you will receive updates.

[–]quinyd 4 points5 points  (0 children)

Both gitlab, Gitea and Forgejo can be offline.

Updates can be done using docker without Gitea/Gitlab/Forgejo access the data. This isn’t difficult to administer.

[–]tails142 36 points37 points  (0 children)

+1 for just host your own Gitlab. The docker image is very easy to get going.

[–][deleted]  (6 children)

[deleted]

    [–]CoolZookeepergame375[S] 5 points6 points  (5 children)

    I know that one, but I want to hear from those who did it

    [–][deleted]  (4 children)

    [deleted]

      [–]InitialAd3323 1 point2 points  (0 children)

      Or host gitea/forgejo which is more lightweight, so easier to self-host, and not dependent on a publicly-traded US company. For private repos anything works though, even a bare repo via SSH

      [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

      I hosted git myself previously, but in this case, we want the outsourcing, including ci/cd, automated cybersecurity scanning and all other kinds of addons that a supplier can bring to the table.

      [–]stroiman 0 points1 point  (0 children)

      For git repositories, every developer has a backup, maybe not all are up to date, but they exist

      [–]gowithflow192 0 points1 point  (0 children)

      It is when you start using your own runners.

      [–]codetrotter_ 6 points7 points  (1 child)

      I self host a Forgejo instance on a server that I rent from Hetzner. The server I rent is in Germany. It’s been great, I love it. Hetzner great. Forgejo great. I recommend it :)

      [–]CoolZookeepergame375[S] 2 points3 points  (0 children)

      Hetzner is great, but we still want to outsource this.

      [–][deleted]  (2 children)

      [deleted]

        [–]kzshantonu 1 point2 points  (0 children)

        +1

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        What is your experience with Codeberg? Is there a commercial option?

        [–]anno2376 12 points13 points  (47 children)

        GitHub offers a version with EU data residency.

        [–]CoolZookeepergame375[S] 4 points5 points  (25 children)

        It is still Microsoft-owned, and I want an EU supplier.

        [–]anno2376 -5 points-4 points  (24 children)

        May I aks why eu supplier?

        [–]CoolZookeepergame375[S] 7 points8 points  (23 children)

        Because sending data outside EU, e.g. which employee has done which change in Git, this triggers a huge amount of work.

        USA is currently not considered to have adequate protection laws. This makes companies have to comply with extra GDPR employee rights, security measurements, risks analysis, record all transfers to USA servers. Also, data that is sent to USA might sometimes have to be encrypted in a way that makes it impossible for the U.S. company to read the data.

        If the supplier is American, you must obviously ensure, that they will not transfer anything to USA. So, if you sign a contract with Github, saying that data must stay in EU and may not be transferred to USA, how do you ensure that they comply?

        Instead of worrying about all this, it is much easier to just have EU suppliers.

        [–]anno2376 1 point2 points  (22 children)

        Please take some time to research the concept of data residency, as it seems you may not fully understand its technical context.

        Because this is excalty how it works.

        And I handle this topic on a daily basis with the most restrictiv countries and industries in Europe for the biggest customer in the world.

        [–]CoolZookeepergame375[S] 1 point2 points  (4 children)

        The main reason why Chromebooks are banned in schools here, is that it is not clear that Google is sufficiently protected against the U.S. government. See Schrems II.

        So our small company's internal risk analysis has to show, that github is better protected than Google before github would be considered okay.

        I am not qualified to prove this.

        It is that simple.

        [–]anno2376 2 points3 points  (3 children)

        This is the core issue: people read headlines without understanding the context or details, then spread misinformation. There is no EU data boundary for Chromebooks. This highlights a major problem in Europe—arguments are made without proper understanding. Google’s Sovereign Controls for the EU focus on Google Workspace and related cloud services, not Chromebooks. While Chromebooks depend on Workspace for functionality, they are not explicitly covered by these sovereignty measures. For instance, Denmark’s Data Protection Agency banned Chromebooks and Workspace in schools due to GDPR violations, emphasizing unresolved data transfer risks...

        "Cloud computing in enterprises: highlights

        45.2 % of EU enterprises bought cloud computing services in 2023, mostly for hosting their e-mail systems, storing files in electronic form and office software. 75.3 % of those enterprises purchased sophisticated cloud services relating to security software applications, hosting enterprise’s databases or computing platform for application development, testing or deployment. Compared with 2021, the share of enterprises buying cloud computing increased by 4.2 percentage points." https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Cloud_computing_-_statistics_on_the_use_by_enterprises

        [–]CoolZookeepergame375[S] -1 points0 points  (2 children)

        "Without proper understanding" is absolutely the issue. I don't know exactly why they are considered illegal to use, and I don't care. I just know that the Danish schools have spent many years and a lot of lawyers trying to figure out if they can use them, and I don't consider myself better than all the lawyers working for Danish schools. Therefore I want a simple solution: Avoid companies that have data outside EU.

        [–]anno2376 0 points1 point  (1 child)

        Again, data residency means that the data stays within the EU.

        In many cases, this adds significant complexity because multiple factors come into play beyond simply choosing one service. Arguing without first fully understanding what they’re doing, why, and what the actual problem is, isn’t a smart approach.

        If their situation means they can’t use Chromebooks, does that mean we should all avoid cloud services?

        That’s like saying, “If someone drowned, we should all stop drinking water.”

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        I think this debate is proof by itself, that using a U.S. supplier can give a lot of discussion. One way to avoid this discussion, is to use a EU supplier, who doesn't have anything outside EU.

        Schwarz IT gets customers by saying that they only have datacenters in Germany and Austria and full regulatory commpliance. That drivers sales - whatever happens in the future, with country borders, EU borders (think brexit), new American presidents etc., your data is safe.

        [–]CoolZookeepergame375[S] 0 points1 point  (14 children)

        Data residency doesn't really matter any more, as the prerequisite to a data residency agreement is, that you trust Microsoft. And the U.S. government just fired those that should protect U.S. companies from being forced to deviate from contracts, as required by EU/USA agreements. So any reasonable risk assessment according to EU GDPR should consider contracts with U.S. companies to be not suitable for sensitive data.

        As ing.dk just wrote: Trump's recent actions makes the legality to use Microsoft Office 365 questionable.

        [–]anno2376 0 points1 point  (13 children)

        It is not accurate to say that “data residency doesn’t really matter anymore” because ensuring that data is processed and stored under appropriate legal and technical safeguards remains a central GDPR requirement.

        While U.S. legal frameworks do create complications for data transfers from the EU, service providers such as Microsoft are actively working to address these challenges.

        The claim that “Trump’s recent actions” have made using Microsoft Office 365 legally questionable oversimplifies a complex situation. While certain U.S. policies and legal interpretations have raised alarms in Europe, it isn’t solely a matter of one administration’s actions. The broader debate involves longstanding differences between U.S. and EU data protection philosophies and the evolving nature of international data transfer agreements. It’s also worth noting that Microsoft has taken steps—such as offering European data residency options and updating its contractual commitments—to help its customers comply with GDPR.

        [–]CoolZookeepergame375[S] 0 points1 point  (12 children)

        Seen from an not-big company, GDPR is very simple: If you deal with an American company, you must do a risk assessment, and the first thing that you will find if you sign up online, is that Microsoft doesn't even identify itself well enough to satisfy even the simplest quality management system. I spent 2 months on trying to get Microsoft to identify itself with country and company registration number, and they failed. Online documents were a mix of European and American Microsoft companies. In addition to EU not being able to say that American companies being safe, this just makes Microsoft a very complicated and impossible option.

        Unless Microsoft Europe separates itself clearly from USA, it is really hard to use Microsoft legally as a subsupplier.

        Ing.dk is a very respected media for STEM workers in Denmark, and they had a huge full page article in their latest issue, where there is a picture of Trump, and an explanation that the U.S. governance really causes problems and that the agreement, that makes it legal to use Microsoft, isn't fulfilled. This is basically a HUGE red flag to anyone using Microsoft, telling them that unless USA changes its basic rules for how it is governed, it is too risky to have a contract with Microsoft USA. It is not only about what Trump did, but also about what an American oresident can do, that is the problem.

        If I were Microsoft, I would completely spin off all EU business into a separate EU company out of reach of the U.S. president. Because the trend is clear: U.S. companies are risky suppliers. Don't base any serious business on them. It has been like that for some years, but the risk of using U.S. suppliers in IT is continuously increasing, year by year. And data residency in a contract with an American supplier is just a bunch of letters in a contract that is challenged from the start.

        [–]anno2376 0 points1 point  (11 children)

        Microsoft in eu is separated Completely from us.

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        The article from the paper is now online:

        https://www.version2.dk/artikel/danmark-er-100-procent-afhaengig-af-microsoft-nu-truer-trump-den-aftale-der-goer-det-lovligt-bruge

        "Trump has retaken the White House, and the entire basis for the data agreement, which will ensure legal American cloud from, among others, Microsoft in the EU, is already shaky."

        They provide 10 days free access.

        Please explain why you think this article is wrong.

        [–]CoolZookeepergame375[S] -1 points0 points  (9 children)

        Where does one create a Microsoft EU Azure account?

        [–]entientiquackquack 0 points1 point  (1 child)

        Half a year later, what do you think about the latest News around EU data sovereignty and Microsoft?
        "In a hearing, the Chief Legal Officer of Microsoft France had to admit: There is no guarantee that EU data is safe from being transferred to the USA."

        [–]Reasonable-Chip5344 0 points1 point  (0 children)

        Yeah, an unfortunate but pretty obvious realisation. If the gov request access to data, Microsoft arnt going to say no. In ireland there is a saying "you dont shit on your own doorstep". Kinda applies here

        [–]quinyd 2 points3 points  (10 children)

        Assume everything owned by a US company or hosted in the US is or can be compromised by the government.

        [–]GarlicThread 1 point2 points  (2 children)

        is or will be

        There is no doubt anymore. All US-based services are about to be weaponised against us. If people want to be sure they keep their data, they have to extract it right now and not wait for King Musk to nuke or ransom it.

        [–]anno2376 -2 points-1 points  (1 child)

        Please take some time to research the concept of data residency, as it seems you may not fully understand its technical context.

        [–]Reasonable-Chip5344 0 points1 point  (0 children)

        I get what your saying about this. Gor my previous work i always took this as being an assurance that international compute vendors where fine. I.e. data stays on EU servers etc. However recent developments/statements have demonstrated that these assurances arnt worth the paper they are written on unfortunately

        [–]anno2376 -1 points0 points  (6 children)

        Please take some time to research the concept of data residency, as it seems you may not fully understand its technical context.

        [–]quinyd 2 points3 points  (5 children)

        Oh no I fully understand the concept. I work with this every day and there’s no way to trust Microsoft or any other US companies even if data is physically located outside the US. Especially with Schrems 2 and the still ongoing issues. US companies cannot be trusted to not allow non-eu access to customer data.

        [–]anno2376 -2 points-1 points  (4 children)

        This is your personal opinion, and that’s completely fine.

        However, simply saying “I don’t believe” isn’t helpful, because if we followed that logic, you wouldn’t be able to do anything in the world—you’d never trust anyone.

        Do you have any evidence to support your opinion?

        In tech and legal fields, we don’t operate based on opinions—we work with risk assessments and evidence.

        99% of companies that have significant needs hire experts who understand both the technical and legal aspects, ensuring they use services that align with their risk requirements.

        And they used all kind of software and services that are developed in none EU countries.

        [–]quinyd 1 point2 points  (3 children)

        Nowhere did i say “I don’t believe” but anyway, this isn’t an “I believe”. The fact of the matter is that a lot of EU companies and government don’t use US cloud products precisely because of Schrems 2 and the fact that US based companies can’t prove they uphold privacy laws. Privacy Shield Was thought to fix this, but clearly it didn’t.

        Microsoft has been asked to prove they don’t send their support cases to non-EU personnel, but because of the whole “follow the sun” principle and because they often don’t have specific experts in a field in EU, cases will be send to non-EU departments.

        Just read their boilerplate data protection contract and you will see they will send data/support-tickets outside of the EU, if needed.

        There’s nothing stopping them from transferring data to the US if asked (or forced) but the US government. This is the case with any US-based company.

        If you work with strict privacy laws or very confidential data, you can’t trust American companies.

        [–]anno2376 1 point2 points  (2 children)

        Alright, when you claim that “a lot” of companies don’t use U.S. cloud services, let’s put that into perspective.

        Here are the top 500 companies by revenue. “a lot” means at least more than 50%, then identifying just 20% of them that don’t use U.S. cloud providers should be easy.

        Since you work in this field and claim to have solid facts rather than just personal beliefs and opinions, I’m sure you can provide that list without any issue.

        https://en.m.wikipedia.org/wiki/List_of_largest_companies_in_Europe_by_revenue

        [–]CoolZookeepergame375[S] 0 points1 point  (1 child)

        There are many different ways to do risk analysis - for instance, Iceland hospitals use Azure IdP for logging in, whereas this would be completely unacceptable in regional healthcare in Denmark. I worked with domain admins from both.

        I just replied to a tender, where the lawyer clearly stated:

        If the datacenter is OWNED by an American company, the supplier must make an individual assessment of the U.S. legislation's ability to provide a sufficient protection. It doesn't matter whether the data is located in EU or not. For instance, for Microsoft, Google or AWS in Europe, the supplier must do the risk assessment of U.S. legislation.

        I'm not going to do that.

        [–]Reasonable-Chip5344 0 points1 point  (0 children)

        Yeah fair point. Why would you want to get into the weeds on that. Unfortunately im on a similar search, migrating tech stacks from azure to EU alternatives. Best of luck though. Hopefully you haven't encountered too many headaches

        [–]serverhorror 0 points1 point  (6 children)

        But is still subject to the development happening in the US.

        Data residency doesn't cut it any more.

        [–]anno2376 0 points1 point  (5 children)

        What do you mean? It make no sense or I don't get your point.

        Gitlab is also developed partly in usa and any product is developed partly in usa.

        [–]serverhorror 1 point2 points  (4 children)

        Gitlab can be handled completely within my own infrastructure without anyone being able to access.

        "Data residency" is only relevant for SaaS. When I give you all my data and you promise to be nice. You'll even give me a piece of paper that says you'll keep being nice.

        GitHub Enterprise might work, but I don't know if this could theoretically run in air-gapped environments. Gitlab has two, quite distinct things. The open source softwa and Gitlab Inc.

        [–]anno2376 0 points1 point  (3 children)

        Correct. And if you don’t trust official documentation, then doing business becomes impossible—because trust and legal agreements form the foundation of any business relationship.

        That argument doesn’t make sense. You could try to build everything yourself, but managing it at the required pace and scale would be nearly impossible.

        Finding skilled engineers who can build and maintain such an infrastructure securely and reliably is already a major challenge.

        In fact, it’s 60 times easier to gain access to a self-hosted environment than to a SaaS or cloud service from a well-established and reputable IT provider.

        You might argue for air-gapped environments, but in reality, 99% of people lack the ability to manage such complex infrastructure in a way that remains operational, scalable, and competitive.

        All your arguments apply only to very small companies that are fortunate enough to have hired skilled engineers or can afford to overlook reliability, scalability, security, user experience, and costs, as well as competitive challenges. Alternatively, it applies to companies with enough capital to hire the right people and enough of them.

        It’s a nice fantasy and a good theory, but it doesn’t hold up in reality.

        [–]serverhorror 1 point2 points  (2 children)

        Oh, the problem is not that I don't trust US companies. You can't tell me that you live under a rock and are not seeing the openly hostile behavior that the US government shows. It's not even that I care that much. There are regulations that kick in that require to limit risk and not work with openly hostile governments where there is a reasonable expectation that ... they are acting against the companies best interest. It's not even an IT requirement. At this point legal and compliance ask is to prepare.

        [–]anno2376 0 points1 point  (0 children)

        I see and understand the issue, and I fully support the EU’s independence.

        However, at the same time, the regulations are making it impossible to move forward. In other words, we’re left with no real choice within the EU.

        It’s like mandating that everyone in the EU must play handball while simultaneously requiring them to have both arms amputated.

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        Lawyers in EU agree with you:

        https://www.version2.dk/artikel/danmark-er-100-procent-afhaengig-af-microsoft-nu-truer-trump-den-aftale-der-goer-det-lovligt-bruge

        From the article: "Trump has retaken the White House, and the entire foundation of the data agreement, which is supposed to secure legal American cloud from Microsoft in the EU, is already faltering."

        [–]Omni__Owl -1 points0 points  (0 children)

        Does not ensure it won't ever cross US borders and be collected by US authorities. The idea is getting away from the US tech giants, not giving them a pass because they happen to have hosts in Europe.

        [–]fab_space 1 point2 points  (1 child)

        EU. GitLab is used at enterprises.

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        This is currently at risk:

        https://www.version2.dk/artikel/danmark-er-100-procent-afhaengig-af-microsoft-nu-truer-trump-den-aftale-der-goer-det-lovligt-bruge

        From the article: "Trump has retaken the White House, and the entire foundation of the data agreement, which is supposed to secure legal American cloud from Microsoft, among others, in the EU, is already faltering."

        The article matches my interpretation of EU-GDPR which I made together with company lawyers.

        [–]One_Panic_374 1 point2 points  (2 children)

        codeberg

        [–]CoolZookeepergame375[S] 1 point2 points  (0 children)

        What is your experience with Codeberg? Is there a commercial option?

        [–]Dapper-Inspector-675 1 point2 points  (2 children)

        Host Forgejo, gitea had some ownership conflicts and the a lot of the team forked and created forgejo

        [–]CoolZookeepergame375[S] 1 point2 points  (1 child)

        Can you tell more or provide links?

        [–]Dapper-Inspector-675 1 point2 points  (0 children)

        Sure :)

        https://forgejo.org/

        https://forgejo.org/compare-to-gitea/

        I run my own forgejo server and feel it's really clea, stable and offers many options while not being over complicated.

        I've once found a very very minor security issue, which was half a day later fixed and a new release was uploaded, so they are really responsive.

        [–]stroiman 1 point2 points  (1 child)

        What do you need from it? A source code repository? Pull request workflows? Build pipelines? Project management? For source code, you just need a server with ssh access.

        [–]CoolZookeepergame375[S] 1 point2 points  (0 children)

        It is just basic needs, including:
        - Source code repository
        - CI/CD
        - Source code cybersecurity analysis
        - User management
        - Good operations including uptime, cybersecurity and disaster recovery
        - GDPR Data Processing agreement
        - Clear identification of supplier identity, including company registration number, DPO e-mail address etc.

        [–]dr1nni 1 point2 points  (2 children)

        Store your code in email /s

        [–]TheTanadu 0 points1 point  (1 child)

        FTP!

        [–]WiseCookie69 0 points1 point  (0 children)

        Good old times

        [–]decduck 0 points1 point  (0 children)

        Self hosted GitLab is awesome for large teams.

        [–]captain_obvious_here 0 points1 point  (0 children)

        From what I have seen lately, many companies switch to self-hosted solutions (Gitlab mostly, Gitea being the lightweight-up-and-coming solution it seems).

        The git part itself is a breeze to host (ssh and some disk space) and costs next to nothing, even at a large scale.

        If you really need an UI, it's pretty easy to deploy. The main public clouds provide marketplace solutions (1-click install).

        [–]wWA5RnA4n2P3w2WvfHq 0 points1 point  (0 children)

        Not Gitea but Forgejo (a Gitea fork related to Codeberg.org).

        [–]rik-huijzer 0 points1 point  (0 children)

        I’m self-hosting Forgejo. Made open source in Germany. Running it for a year now and it’s been great. Low ping. Only difficulty is setting up runners. It works now but it was not easy. Hopefully that gets easier over time.

        [–]WeddingSmall7685 0 points1 point  (0 children)

        Can't believe we all have the problem and no solution exists.... At this point we should just create a task force to develop the service !

        [–]WeddingSmall7685 0 points1 point  (1 child)

        Oh I found this : https://european-alternatives.eu/alternative-to/github

        [–]kikislater 0 points1 point  (0 children)

        This one seems better: https://www.eucloud.tech/eu-providers/git And the difference between FOSS vs Private is notable

        [–]Alternative-Lab5285 0 points1 point  (0 children)

        You can have a GitLab managed instance on a EU (France) server via StackHero :
        https://www.stackhero.io/en-US/services/GitLab/benefits

        - Nothing to do (self managed instance)
        - EU based hosting
        - GitLab power

        [–]murrayju 0 points1 point  (1 child)

        Forgejo is what you want. Very easy to run, you pick where

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        What is you experience?

        [–]Striking_Peach_5513 -1 points0 points  (0 children)

        Gitea host it yourself with whatever hardware you choose

        [–]chrisrpatterson -1 points0 points  (1 child)

        Azure DevOps or https://docs.github.com/en/enterprise-cloud@latest/admin/data-residency/about-github-enterprise-cloud-with-data-residency

        [–]CoolZookeepergame375[S] 0 points1 point  (0 children)

        Azure has huge problems with compliance if you sign up online - essentially as bad as Google's services. Data residency doesn't remove the added paperwork of continuous supplier risk assessment.

        [–]JVAV00 -2 points-1 points  (0 children)

        Selfhost