After a U.S. federal contractor told us they loved Plane but couldn't use it due to ITAR requirements, we spent 6 months building a truly air-gapped version. No external connections, no license pings, no telemetry, everything runs in complete isolation.
The interesting part: our air-gapped deployment actually runs faster than our SaaS version. Turns out when you eliminate all network latency, things get snappy.
This post covers the technical challenges we solved (supply chain trust, 2GB bundle size, offline licensing) and why regulated industries need alternatives to cloud-only tools like Jira.
isatty · 2h ago
> The interesting part: our air-gapped deployment actually runs faster than our SaaS version.
This is the least surprising thing I’ve read all day.
jagged-chisel · 20m ago
Indeed. For multiple reasons:
- it is not at all surprising that when you remove cruft, code performs batter
- it is not at all surprising that this is not common enough amongst software engineers to even consider these things (competing business interests probably cause this often)
magicalhippo · 6h ago
> Turns out when you eliminate all network latency, things get snappy.
Same experience with JIRA. I read all these negative comments here and elsewhere about how slow and clunky JIRA was, and I couldn't relate at all.
Then I realized all those who complained was using JIRA Cloud and we were using on-prem, and it all made sense.
We've since moved to JIRA Cloud ourselves, and I understand now.
We moved and none of the new places had any viable computer room, so literally had to put the rack in a closet And well, that ain't cutting it for physical access control these days. Thankfully we have very simple flows without any BS, so not too many 1-5 second clicks to get things done.
uxp100 · 6h ago
I have had the opposite experience with Jira at a relatively large corporation (years ago). Our local Jira was probably just configured weird or on underpowered hardware though.
tikkabhuna · 5h ago
Having adopted a number of development tools, including Jira and Confluence, it’s amazing people let them sit there chugging away on underpowered machines with hundreds of users quietly complaining about the speed. Throwing some extra CPU cores and memory is so cheap for the quality of life improvement, let alone the productivity gain.
nitwit005 · 4h ago
The concurrent (human) user counts at even large companies is probably a couple dozen at most.
Usually with these tools, the performance problems magically vanish if you disable all the integrations people have set up. My company is constantly denial of service attacking Jira with Github updates, for example.
Edit: typo
makeitdouble · 3h ago
People complaining about JIRA has become enough of a trope that it mostly gets ignored.
Also big enough corps give underpowered machines to the mass of employees (anyone not a dev, designer or lead of something) so latency is just life to them.
time0ut · 3h ago
Just open the network tab and refresh a page in Jira and you will understand. It isn’t too noticeable on a LAN. Stick the internet in there and it is painful. The worst I have seen is self hosted and accessed over Netskope ZTNA. Truly an abomination.
IshKebab · 6h ago
> Then I realized all those who complained was using JIRA Cloud and we were using on-prem, and it all made sense.
Even Atlassian doesn't use Jira cloud. Btw it's not "JIRA".
latentsea · 28m ago
Everytime I'm using JIRA and I type JIRA and it automatically corrects it to Jira, I hit Ctrl+Z to undo the autocorrect.
magicalhippo · 6h ago
> Even Atlassian doesn't use Jira cloud.
That would explain a lot.
> Btw it's not "JIRA".
When did they change this? I'm fairly certain[1] it used to be JIRA.
Atlassian very much do use Jira cloud. Source: I worked there for 10 years. Not apologising for it's performance however.
tomrod · 3h ago
Any inights why the performance often varies between a Model T Ford and a glacial boulder?
michaelt · 3h ago
I mean, presumably it's subject to the two curses of modern software:-
1. Unless major customers are actively closing their accounts due to the poor performance, improving performance isn't a priority.
2. The people who pay for it aren't the people who use it, so the performance can get very, very bad before customers start closing their accounts.
tomrod · 4h ago
What a weird time to enforce British rules for acronyms.
JIRA stands for JIRA Isn't Really Awesome.
joeldo · 5h ago
That's no longer the case - a large portion of teams are now using cloud variants of Confluence/Jira.
zelphirkalt · 5h ago
Also that Jira is one of these mutants, between SPA and pages, doing neither well.
bigmattystyles · 33m ago
The other thing, every pm wants a custom field just for their project, a field they’ll forget they asked for a day later. TLDR, put a governance board that’s fine saying no especially when someone inevitably pulls rank.
mschuster91 · 5h ago
> We've since moved to JIRA Cloud ourselves, and I understand now.
Jira on-prem was dog slow, yes, especially if it didn't live on the same server as the database. But Jira Cloud? It isn't much faster than that! It's a piece of hot mess. Loading placeholders everywhere. Really I have absolutely zero idea what Atlassian is doing, but I know for sure optimizing for performance is not amongst the things they are doing.
echelon · 4h ago
Our org used Jira on-prem for 2k engineers and 3k additional staff and it was slow as molasses.
The dialogues and context menus took forever to show and page navigation was beyond painful.
We had dedicated engineering for maintaining our Jira and Bitbucket, and they still fell over. We eventually moved back to GitHub. (Our usage went from GitHub on-prem pre-MS -> Bitbucket on-prem -> GitHub cloud post-MS.)
I hate Jira regardless of where it's deployed. It's a beast.
firesteelrain · 3h ago
We run a full Atlassian suite on prem for 5k users and it works really well
They've removed it from their pricing page now, but when they announced the discontinuation of the regular on-prem server the minimum for datacenter was like 500 licensed users or something along those lines.
In any case it was clear it's not for small shops like us.
That said, air-gapped is a hefty requirement, so perhaps those customers are predominantly large?
bigfatkitten · 4h ago
> That said, air-gapped is a hefty requirement, so perhaps those customers are predominantly large?
There are lots of very small classified networks out there with only a few dozen users.
There are a lot more user communities course that aren’t necessarily airgapped, but where they have special compliance requirements that pretty much mandate self hosting (or at least bring-your-own cloud.)
viharkurama · 6h ago
We took a different approach with Plane's air-gapped offering. No minimum user requirements at all. We evaluate based on your use case and domain requirements, not team size.
magicalhippo · 6h ago
Good approach IMHO.
We do the similar with our B2B product (in an entirely different niche). We have everything from single-person companies up to very large ones. Similarly we set price based on use-case and requirements.
I still run an old version on an air gapped network and will continue to do so until we're forced to change for some reason. It's not a hefty requirement; we run it for a team of < 10 developers on a small VM and it just works.
magicalhippo · 5h ago
Blind as a bat, thanks. Was looking for a pricing page or similar, totally scrolled by that box which looked like marketing fluff.
jasondc · 6h ago
$$$$ Very expensive
thaack · 6h ago
Sure if you commit to a 500 user minimum.
bpt3 · 6h ago
It might as well be for the vast majority of companies, since I believe the smallest number of users you can buy support for is 500.
To be more specific, they killed off the legacy Jira Server and now only offer these enterprise versions of Jira and the rest of the suite if you won't move to the cloud.
yodon · 6h ago
How do you handle compliance in confirming that the product is only used for the license duration? (Or is it more of a one time purchase plus recurring fee for updates?)
Msurrow · 6h ago
At this level (govt, 6 figure+ deals) I would at least consider if this problem should have a non-tech solution, and instead have a legal/lawyer solution. In my experience (not US based though) the govt contracts are under compliance programmes as well so the govt agency’s legal/contract mgmt team would probably follow up internally on expiring contracts (ie licences) and require the owning stakeholder to either renew the contract or abandon the software. Meaning the customer would supervise itself regarding licence. But even if you don’t want to rely on self-supervision then having your lawyer spend 1 hour reaching out with a “do you need to renew your licence” at the end of a licence term would probably be much cheaper than building and maintaining an air-gapped licence solution.
bobmcnamara · 5h ago
Years back a friend of mine's startup failed when USAF pirated their software and the original customer org stopped paying for it.
Feds are DMCA immune, so no real recourse.
atonse · 4h ago
This seems very suspect.
Usually you do have recourse via procurement channels and reps. If you file a complaint with that agency stating that they’re using a license without paying for it, it will result in at least an investigation.
michaelt · 3h ago
If you got to hire the cops to investigate your own mistakes, would you hire competent, motivated folks who'd leave no stone unturned and get access to every classified, air-gapped network in search of license infringements?
I wouldn't. I'd hire some Peter Gibbons type, who only does about 15 minutes of real, actual work in a typical week. Then I'd tell them they can finish early if all their pending cases are closed.
bobmcnamara · 2h ago
Practically the federal government shouted, Neener neener neener! Rules for thee but not for meeeeeee!
Hopefully this was fixed, but this was the standing precedent at the time.
unethical_ban · 2h ago
As soon as I saw that he put it on the employer machines at his own work before locking down a sale, they'd screw him whether he deserved it or not.
bigfatkitten · 4h ago
Sounds like having only one paying customer was the real cause of the business’s failure.
bobmcnamara · 2h ago
They've mentioned that was a valuable lesson.
fc417fc802 · 3h ago
Largely agree but I want to challenge this bit at the end.
> probably be much cheaper than building and maintaining an air-gapped licence solution
I think this is an unwise attitude to take. There's something to be said for a simple picket fence. Even though someone could easily hop it if they wanted to, they lose plausible deniability and in most cases that's all that really matters at the end of the day.
viharkurama · 6h ago
It's a subscription license. We offer air-gapped deployments under the Business plan. As part of compliance, we request customers to share license logs quarterly-no PII involved. Also, the license enforces seat limits, so you can't exceed the number of users you've purchased. https://plane.so/pricing
unixhero · 4h ago
Itar ruins all the fun
jeron · 6h ago
>our air-gapped deployment actually runs faster than our SaaS version. Turns out when you eliminate all network latency, things get snappy.
Notion, take notes
Pi9h · 4h ago
I am also building https://docmost.com, a self-hostable Confluence alternative that can run fully air-gapped.
It has support for spaces, real-time collaboration, a rich-text editor, built-in diagrams support and more.
There is no price anywhere. I would be interested to use that for either my job or for private projects, but where and how much do I pay?
Edit: I looked again and even your pricing pages have no price. I understand that you may want to restrict yourself to rich companies, but I don't understand the point of posting on HN if that's the case.
viharkurama · 6h ago
If you want air-gapped it's on Business tier, please look at our pricing page.
That being said, we don't recommend the air-gapped version for personal use. Instead, you can use our open-source Community Edition here: https://github.com/makeplane/plane — you can self-host it and disable telemetry entirely.
pc86 · 6h ago
Air-gapped probably adds a zero or two to the highest tier Enterprise price. You wouldn't buy an Enterprise license for a personal project, why would you buy an Enterprise++ license (which is essentially what AG is)?
This also makes it infinitely more useful for healthcare. Not healthcare software specifically. Lots of use cases in logistics, irl maintenance, etc. Patient data creates hipaa challenges and tends to overflow into any system.
mannyv · 45m ago
Nothing in HIPAA mandates air gaps. In the context of HIPAA that's really overkill.
In fact, self-hosting might even do you wrong when things go bad, because AWS is probably better managed and more secure. And they have all their certs, which is legally important.
tptacek · 3h ago
Why would a health care org care about air-gapped deployments? Most (really, almost all) health care data is stored on cloud SAAS databases already; for people who care, this vendor already had an on-prem version.
SMrF · 2h ago
What you say makes sense, but I think there can be reasons. For our military customers we offer an air-gapped version of our app early on because it was easier for customers than getting an ATO. Also as a bootstrapped company it was a lot cheaper than FedRAMP. I'm guessing I'd lean on a similar strategy if I had a health care startup.
tptacek · 1h ago
Most health care companies get along just fine in AWS, just for what it's worth.
viharkurama · 3h ago
+1. We already work with a few healthcare teams, and self-hosted is almost always their go-to. Our air-gapped edition has been in beta for a bit, and we’re seeing more use cases pop up—especially in places where HIPAA and data isolation matter a lot.
jasondc · 6h ago
Big fan of Plane since it's open-core.
Doesn't seem to be a lot of options for self-hosted/open-core project management software. The existing ones looks pretty bad, and don't come anywhere close to Jira level functionality.
IshKebab · 6h ago
> don't come anywhere close to Jira level functionality.
In my experience that's probably a good thing. I've moved from a company using Phabricator to one using Jira. Phabricator had exactly everything we needed and was very nicely designed and worked really nicely.
Jira has everything you need plus loads of other stuff that project managers feel like they need to add. Oh and they'll never clear anything up or fix any config bugs because they don't actually have to ever use the "report bug" form so who cares if there are 100 fields and half of the mandatory ones are hidden in "More fields"? 5 different states for "TODO"? Eh who cares. 3 different ways to say which team a bug is in? Better fill them all in for every bug.
It's better to be missing features than to have features that project managers can configure.
jay_kyburz · 2h ago
The first bug you should log is that the bug logging page has unnecessary fields.
majkinetor · 3h ago
Redmine is awesome
intexpress · 4h ago
A version of JIRA that nobody can access sounds pretty good
zppln · 6h ago
Ehm, fairly sure you can use Jira in an air-gapped environment.
jasondc · 6h ago
from Google: "Atlassian has sunsetted its Server product line, including Jira Server, meaning they are no longer supported and users need to migrate to Cloud or Data Center versions. Specifically, support for Atlassian Server products ended on February 15, 2024. This includes the end of new license sales, renewals, and security updates for Jira Server. "
kingnothing · 6h ago
There's the self-hosted Atlassian Data Center product.
You'll pay through your nose for a Data Center license though, and it doesn't change the fact that Jira is a mess so slow that SAP can appear fast in comparison.
firesteelrain · 6h ago
Data center version is available. I use it.
rubidium · 1h ago
They make it seem like a big deal. It’s pretty much how all software used to ship :)
mind_heist · 2h ago
This is totally a tangential point. Why do they call it "air gapped" instead of "air tight" ? Are these supposed to mean different things ?
ojame · 2h ago
You can have an air gap between two physical items - it doesn't matter if those physical items are air tight or not. Air gapped doesn't mean the items are prohibited to intake air (i.e. air tight), it just means they're prohibited to intake things _apart_ from air.
dummydummy1234 · 2h ago
Airgapped systems have an air gap between the system and the wider world. The only way to move data to and from them is for someone to walk across the gap with physical media.
There are no communication cables between the host system and the wider world.
defrost · 1h ago
There are other ways, of course.
* air-gap malware can be designed to communicate secure information acoustically, at frequencies near or beyond the limit of human hearing.
* In 2014, researchers introduced ″AirHopper″, a bifurcated attack pattern showing the feasibility of data exfiltration from an isolated computer to a nearby mobile phone, using FM frequency signals.
* In 2015, "HELLONE", a covert signaling channel between air-gapped computers using thermal manipulations, was introduced. "BitWhisper" supports bidirectional communication and requires no additional dedicated peripheral hardware.
* Later in 2015, researchers introduced "GSMem", a method for exfiltrating data from air-gapped computers over cellular frequencies. The transmission - generated by a standard internal bus - renders the computer into a small cellular transmitter antenna.
Any more details about the offline patch/upgrade process? When I looked at gitlab years ago, it handled that fine but the documentation seemed "nervous" about it.
I struggle to think why that would be any drama, unless the setup is trying to use "bare" gitlab (e.g. running the puppet commands manually versus $(docker save -o airgapped_gitlab.tar gitlab/gitlab-ce:18.2.0-ce && cp ./*.tar /dev/disk/usb-whatever/goodluck/))
lifeisstillgood · 4h ago
I guess my mental model is all wrong but those air-gapped choices - they seemed kind of what is natural to do …
colordrops · 1h ago
Most self-hosted apps, including jira, can be airgapped. Yeah maybe it's not made super easy like Plane, but any org that requires this is going to have an IT department that can handle it.
hd4 · 6h ago
just a fyi for anyone looking for a neat little kanban board, gitea has kanban built-in into the projects feature.
(obviously lacks really fine-grain customization that would be found in other jira alternatives)
acidburnNSA · 1h ago
And the gitea fork, forgejo does too.
0xWTF · 4h ago
As a DoD employee, it would be amazing if more companies took this seriously (I'm looking at you health tech bros).
radicaldreamer · 5h ago
This is just shipping a docker container for people to run the app on their own infrastructure. Retool does the same thing for companies which don’t want to expose internal resources and databases to the cloud.
firesteelrain · 6h ago
Jira has a self-hosting option. It already is air gap ready. See Jira Data Center.
Given their customer base, I wonder why they bothered with any license enforcement for the pure on-prem. Just do the "license enforcement" implicitly when customers want to update: they need to log in to get the new image.
(Your regular annoying notice that FIPS-compliant crypto is, if anything, marginally less secure than non-FIPS crypto; not that it matters in any material way, just, it's not a flex.)
rendall · 4h ago
> This post explores the journey of building this specialized deployment option for regulated industries where data sovereignty isn't just preferred—it's mandatory.
This is an AI writing tell: "It's not just x—it's y."
It's an AI writing tell that was copied from so many of us who use it.
kstrauser · 3h ago
I loathe every cheap throwaway comment like this.
Know who else uses punctuation? People who write. In fact, that's where the AI got the idea.
miki123211 · 4h ago
TBH, if I were working in such a highly regulated industry, I'd be very hesitant about buying software from a company with a .so domain and basically beholden to the whims of the government of Somalia.
If they said "implement a backdoor for us or all your non-airgapped customers lose access tomorrow", are you sure the company would be able and willing to say no?
mdaniel · 4h ago
That's a very odd thing to bring up in the context of self-hosting, since you would not interact with their .so domain whatsoever; ensure that the AGPLv3 aligns with your needs, git clone -b v0.27.1 https://github.com/makeplane/plane.git and be happy
annoyingnoob · 4h ago
Now do an air-gapped Confluence killer, please.
viharkurama · 4h ago
We already support this. We pack all our products in one single offering.
The interesting part: our air-gapped deployment actually runs faster than our SaaS version. Turns out when you eliminate all network latency, things get snappy.
This post covers the technical challenges we solved (supply chain trust, 2GB bundle size, offline licensing) and why regulated industries need alternatives to cloud-only tools like Jira.
This is the least surprising thing I’ve read all day.
- it is not at all surprising that when you remove cruft, code performs batter
- it is not at all surprising that this is not common enough amongst software engineers to even consider these things (competing business interests probably cause this often)
Same experience with JIRA. I read all these negative comments here and elsewhere about how slow and clunky JIRA was, and I couldn't relate at all.
Then I realized all those who complained was using JIRA Cloud and we were using on-prem, and it all made sense.
We've since moved to JIRA Cloud ourselves, and I understand now.
We moved and none of the new places had any viable computer room, so literally had to put the rack in a closet And well, that ain't cutting it for physical access control these days. Thankfully we have very simple flows without any BS, so not too many 1-5 second clicks to get things done.
Usually with these tools, the performance problems magically vanish if you disable all the integrations people have set up. My company is constantly denial of service attacking Jira with Github updates, for example.
Edit: typo
Also big enough corps give underpowered machines to the mass of employees (anyone not a dev, designer or lead of something) so latency is just life to them.
Even Atlassian doesn't use Jira cloud. Btw it's not "JIRA".
That would explain a lot.
> Btw it's not "JIRA".
When did they change this? I'm fairly certain[1] it used to be JIRA.
[1]: https://confluence.atlassian.com/jira061
1. Unless major customers are actively closing their accounts due to the poor performance, improving performance isn't a priority.
2. The people who pay for it aren't the people who use it, so the performance can get very, very bad before customers start closing their accounts.
JIRA stands for JIRA Isn't Really Awesome.
Jira on-prem was dog slow, yes, especially if it didn't live on the same server as the database. But Jira Cloud? It isn't much faster than that! It's a piece of hot mess. Loading placeholders everywhere. Really I have absolutely zero idea what Atlassian is doing, but I know for sure optimizing for performance is not amongst the things they are doing.
The dialogues and context menus took forever to show and page navigation was beyond painful.
We had dedicated engineering for maintaining our Jira and Bitbucket, and they still fell over. We eventually moved back to GitHub. (Our usage went from GitHub on-prem pre-MS -> Bitbucket on-prem -> GitHub cloud post-MS.)
I hate Jira regardless of where it's deployed. It's a beast.
Well except Bamboo. It’s terrible
But Jira is not cloud-only?
https://www.atlassian.com/enterprise/data-center
In any case it was clear it's not for small shops like us.
That said, air-gapped is a hefty requirement, so perhaps those customers are predominantly large?
There are lots of very small classified networks out there with only a few dozen users.
There are a lot more user communities course that aren’t necessarily airgapped, but where they have special compliance requirements that pretty much mandate self hosting (or at least bring-your-own cloud.)
We do the similar with our B2B product (in an entirely different niche). We have everything from single-person companies up to very large ones. Similarly we set price based on use-case and requirements.
$51k for the smallest license they offer.
I still run an old version on an air gapped network and will continue to do so until we're forced to change for some reason. It's not a hefty requirement; we run it for a team of < 10 developers on a small VM and it just works.
To be more specific, they killed off the legacy Jira Server and now only offer these enterprise versions of Jira and the rest of the suite if you won't move to the cloud.
Feds are DMCA immune, so no real recourse.
Usually you do have recourse via procurement channels and reps. If you file a complaint with that agency stating that they’re using a license without paying for it, it will result in at least an investigation.
I wouldn't. I'd hire some Peter Gibbons type, who only does about 15 minutes of real, actual work in a typical week. Then I'd tell them they can finish early if all their pending cases are closed.
https://arstechnica.com/tech-policy/2008/08/air-force-cracks...
Hopefully this was fixed, but this was the standing precedent at the time.
> probably be much cheaper than building and maintaining an air-gapped licence solution
I think this is an unwise attitude to take. There's something to be said for a simple picket fence. Even though someone could easily hop it if they wanted to, they lose plausible deniability and in most cases that's all that really matters at the end of the day.
Notion, take notes
It has support for spaces, real-time collaboration, a rich-text editor, built-in diagrams support and more.
We launched on HN 1 year ago: https://news.ycombinator.com/item?id=40832146
Edit: I looked again and even your pricing pages have no price. I understand that you may want to restrict yourself to rich companies, but I don't understand the point of posting on HN if that's the case.
That being said, we don't recommend the air-gapped version for personal use. Instead, you can use our open-source Community Edition here: https://github.com/makeplane/plane — you can self-host it and disable telemetry entirely.
In fact, self-hosting might even do you wrong when things go bad, because AWS is probably better managed and more secure. And they have all their certs, which is legally important.
Doesn't seem to be a lot of options for self-hosted/open-core project management software. The existing ones looks pretty bad, and don't come anywhere close to Jira level functionality.
In my experience that's probably a good thing. I've moved from a company using Phabricator to one using Jira. Phabricator had exactly everything we needed and was very nicely designed and worked really nicely.
Jira has everything you need plus loads of other stuff that project managers feel like they need to add. Oh and they'll never clear anything up or fix any config bugs because they don't actually have to ever use the "report bug" form so who cares if there are 100 fields and half of the mandatory ones are hidden in "More fields"? 5 different states for "TODO"? Eh who cares. 3 different ways to say which team a bug is in? Better fill them all in for every bug.
It's better to be missing features than to have features that project managers can configure.
https://www.atlassian.com/enterprise/data-center
They also offer Government Cloud.
https://www.atlassian.com/government
There are no communication cables between the host system and the wider world.
* air-gap malware can be designed to communicate secure information acoustically, at frequencies near or beyond the limit of human hearing.
* In 2014, researchers introduced ″AirHopper″, a bifurcated attack pattern showing the feasibility of data exfiltration from an isolated computer to a nearby mobile phone, using FM frequency signals.
* In 2015, "HELLONE", a covert signaling channel between air-gapped computers using thermal manipulations, was introduced. "BitWhisper" supports bidirectional communication and requires no additional dedicated peripheral hardware.
* Later in 2015, researchers introduced "GSMem", a method for exfiltrating data from air-gapped computers over cellular frequencies. The transmission - generated by a standard internal bus - renders the computer into a small cellular transmitter antenna.
https://en.wikipedia.org/wiki/Air-gap_malware
(obviously lacks really fine-grain customization that would be found in other jira alternatives)
1. https://www.atlassian.com/enterprise/data-center/jira
(Your regular annoying notice that FIPS-compliant crypto is, if anything, marginally less secure than non-FIPS crypto; not that it matters in any material way, just, it's not a flex.)
This is an AI writing tell: "It's not just x—it's y."
https://youtu.be/9Ch4a6ffPZY
Know who else uses punctuation? People who write. In fact, that's where the AI got the idea.
If they said "implement a backdoor for us or all your non-airgapped customers lose access tomorrow", are you sure the company would be able and willing to say no?
This includes Projects + Wiki. More here: https://docs.plane.so/core-concepts/pages/wiki
Here's a blog on how you can switch between products within Plane, https://plane.so/blog/introducing-apprail-plane-new-navigati...