Add tirreno to Monitoring #618
Conversation
|
Looks like an interesting addition |
|
Interesting but quite young project. I'd prefer to only list projects that have at least a few years of existence (this was first released in January) It requires custom integrations inside your application https://www.tirreno.com/how-it-works/ which makes it closer to a software development tool/library/SDK than a traditional SIEM. It is also a candidate for the infamous https://sso.tax/ (SAML support in the I'd rather wait and see how this project evolves. |
|
Thanks for your time reviewing this. We first applied to Awesome Selfhosted but received a reply stating that the project must mature for 4 months after its first release. I must admit that, at the current time, this is a product with over 10k hours/engineers spent, as it was developed over 3 years prior to its initial release, which was indeed in December. Then we reapplied, but it was suggested that we post instead to Awesome Sysadmin / Monitoring, as the tirreno platform is something between a SIEM for web application and a cyber-fraud protection platform. SIEM in this context is just a way to explain what the tool does, as there is no other open-source solution with the same functionality currently existing. If 'SIEM' is an issue, we can easily refer to this simply as a platform. From this perspective, it seems acceptable that having any, even premature, tool agains cyber fraud is better than having nothing. Finally, we don’t provide SAML support for the SaaS edition, it’s only available in the "enterprise" on-premise plan. Unfortunately, as non-VC-backed, we have to cover the development costs ourselves, and we don’t want commercial organizations to be misled into thinking they can use the platform without our support, as complex fraud prevention requires our team’s expertise. SAML support, in this case, is simply a guarantee that companies contact us before unsuccessfully trying to integrate the platform. However, to my knowledge, SAML is not a factor in determining whether software is considered free and open-source, and it is not mentioned as a requirement by Awesome-FOSS. Might I ask if we could still apply to Awesome Self-hosted or this decision is for both? |
|
I'm wondering if there is any further information about tirreno we could provide. Perhaps reviews from bloggers or other resources? |
|
Hi @tirrenian thanks for clarifying the actual limitations around the SAML feature, I edited my comment above to reflect that. I have no issues with that personally, though making security/authentication features exclusive to the Enterprise version is widely regarded as "not ideal" (see explanation on sso.tax and discussions around it elsewhere). I'm not asking you to change that. I completely understand the need to find a sustainable financial model for FOSS projects, for which I don't know a good solution - and I'd argue nobody really does. The license is fine (congrats for choosing AGPL), additional services around the Enterprise offering look fine and actually valuable, but we all know this doesn't pay the bills in most cases, and VC backing does not guarantee sustainability either (in fact quite the contrary). If I had a perfect solution I'd share it with you, but I don't. Making some features exclusive to the EE is as good a solution as any. The "not really a SIEM" thing I mentioned is not blocking, I guess tweaking the description/category would be sufficient. The cause for my "wait and see" vote is mainly the recent first release date. I haven't looked into the history of the project. If I was looking to invest time in a new monitoring solution I'd check for more mature alternatives first. Contribution guidelines for this repository are not the same as awesome-selfhosted, this category of software actually fits awesome-sysadmin, but we have an understanding with the previous maintainer that only stable, established, mature solutions should be approved. In the past there was a guideline "old enough to be in Debian Stable", which means around 2 years. I don't have a fixed, rigid expectation for the time since first release, but a few months is definietly not enough. We can keep this PR open and revisit when the software reaches ~1 year since first release. This will leave time for other people to chime in, leave reviews, and for you to improve and stabilizae the software.
All revelant resources are welcome, it's what these PRs are for. |
|
@nodiscc per these comments, can you dismiss my review (i wish i could) |
|
Hi @nodiscc First of all, thank you for your valued feedback. We have take it into account and reconsidered the positioning of tirreno and excluded its comparison to a SIEM for web applications, referring to it solely as a platform for application-level security. I would like to take this opportunity to clarify that intensive (daily) development of this platform started in March 2022 (if needed, this can be proven by an invite to the initial repository). The reason it was released only in December 2024 is that our team is indeed responsible, and therefore we released it only when we were absolutely sure that it works as expected. So, in total, we now have over three years of development and field testing behind us. I’ve looked for some feedback on the internet, and here we are. Some of it has over 1,000 likes from cybersecurity professionals. Please note that we are not familiar with or affiliated with any of those authors. https://www.linkedin.com/posts/meisameslahi_cybersecurity-threathunting-threatdetection-activity-7331240299618279424-pWW4 As you might see, this platform is something people are looking for, but since there are no open-source alternatives and only a few extremely heavy enterprise solutions, it's difficult for them to find what they need due to the lack of visibility. I hope you and your colleague might take into account that, this platform for user-centric security doesn't have an alternative in open source, the initial repository age is actually over three years (which is in line with your guidance), and reconsider this PR. Thank you once again for your time. |
Still a candidate for https://sso.tax
|
|
Just to clarify again, in case you missed my earlier comment: tirreno is not a SaaS. If you're not aware, setting up SSO in a self-hosted application isn't always straightforward. We don't see the value in including SSO in the community edition, since it would likely become a point of failure, require support, and ultimately degrade experience. The site you mentioned, highlights how SaaS monetize SSO by offering it only in enterprise plans, which is relevant because SaaS is cloud-based. In contrast, tirreno is an open-source, self-hosted application and if security is your concern, you can run it entirely within your organization's perimeter. |
|
These points have been made by several people who monetize SSO, yes (please refer to the Buzzlight Year gif) Not demonizing those who need to be paid, but also not saying that you fall far from the https://sso.tax tree EDIT: The point of sso.tax is in its name. If there is a fee for SSO, you fall under that umbrella. |
|
Apologies, but I'm not familiar with the cases you mentioned, and I still believe your claim is irrelevant. The difference is simple: we don’t make money by selling SSO. SSO is something that some of our enterprise clients request, so it’s included as part of a enterprise package which covers support, custom development, fine-tuning for specific use cases, deployment assistance, and more. In other words, SSO is not part of self-service offering, and therefore it’s not included in the open-source version. I hope that’s clear now. |
Can customers setup SSO without your assistance and without violating usage license? If the answer is no, then https://sso.tax |
|
I'm not sure I understand your question. If you would like to propose integrating IdP yourself, feel free to do so. |
Does your licensing allow customers to integrate SSO without paying for your support services? The question is extremely simple and direct. |
|
You need to refer to the AGPL license terms. IANAL, but I don't see any reasoning that would prevent anyone from creating an IdP integration by making their contribution available. May I ask what your use case is that makes SSO so critical for your organization? |
Done. AGPL License Terms do allow you to make modifications to source code, so you could add your own SSO component. However, AGPL requires that you leak your source code modifications which is a security concern and violates several principles of secure single sign on. One of the founding principles to https://sso.tax is that organizations intentionally lower your security by omitting your access to SSO as a means of monetizing it:
If an organization were to attempt to add SSO to your software in a source-secure manner without paying for your service, they would be forced to violate the terms of the AGPL. |
|
To be clear, I am not trying to demon-ize making income off of your own software. Go for it! However, I can see through your very shallow facade of dancing around the https://sso.tax accusations |
|
Thank you for your reply. I'm not in a position to discuss someone else's website. If your organization has real security challenges with our offering, we're happy to address them. However, that doesn't seem to be the case here. |
|
I do not think any of us care that you are unhappy to address our critiques. We are here to evaluate whether your software is awesome. To be clear, while you have started off on an awful footing, the only 2 non-awesome things you've done is:
Again these aren't disqualifying metrics (assuming nodiscc and the owners have no issue with it), but definitely not a strong start |
|
This brings us back to #460 (still not solved/clearly defined)
"Software your are submitting is not your own, unless you have a healthy ecosystem with a few contributors" there are 5 contributors to the project, whether or not we consider that "healthy" is up to debate (not all projects will attract 10s of contributors, but leaving some time for the project to mature will tell us if that's the case or not, another reason for my vote "wait and see")
I don't really mind, especially SAML... 😭 but I think we should add an anti-feature warning similar to https://awesome-selfhosted.net/ ( I stand by my initial opinion that we should wait and keep this issue/PR open. The concept looks interesting and quite unique (although you could replicate a good part of it with traditional SIEM and proper logging) I'm not inclined to outright reject this kind of additions. I'm also not inclined to merge them right away. Maybe we should make it more visible in the main README that pending additions in need of reviewers can be found in the issues/PR tabs, but that's another topic. All constructive comments are welcome, but keep it chill and in good faith. /vote wait until january 2026 |
I think a more appropriate option would be |
|
Thank you @nodiscc for the thoughtful feedback and clear timeline. The team and I appreciate the constructive approach and will plan to revisit this as suggested in December 2025/January 2026 whatever comes earlier. |
|
conversation moved to #623 |
7 participants
Thank you for taking the time to work on a PR for Awesome-Sysadmin!
To ensure your PR is dealt with swiftly please check the following:
DemoandClientsare optional.Do not add a duplicate
Source codelink if it is the same as the main link.Keep the short description under 80 characters and use sentence case
for it, even if the project's webpage or readme uses another capitalisation.
Demolinks should only be used for interactive demos, i.e. not video demonstrations.- [Name](http://homepage/) - Short description, under 250 characters, sentence case. ([Demo](http://url.to/demo), [Source Code](http://url.of/source/code), [Clients](https://url.to/list/of/related/clients-or-apps)) `License` `Language`Languagetag is the main server-side requirement for the software. Don't include frameworks or specific dialects.Suggested titles: "Add aaa to bbb" for adding software aaa to section bbb,
"Remove aaa from bbb" for removing, "Fix license for aaa", etc.
Please take some time to answer the following questions as best you can:
Unlike classic SIEMs that focus on infrastructure, tirreno monitors your users to detect threats where they actually happen — inside your app.
5 months.
Both.
3000+.
Pros: fast and easy deployment with low technical requirements.
Cons: 'static' UI without customization options.
@kokomo123 reviewer suggested that tirreno better fits awesome-sysadmin rather than awesome-selfhosted.