ActiveState’s Community Edition (CE) language distributions (ActivePython, ActivePerl and ActiveTcl) are being phased out. These kinds of global installers will soon be available only to our Enterprise users. Instead, ActiveState is replacing them with the ActiveState Platform ecosystem, which provides users with a secure open source supply chain and advanced package management capabilities. This blog explains why.
ActivePerl, ActivePython and ActiveTcl distributions bundle a version of the language with hundreds of the most popular packages from their respective communities. But these kinds of “one size fits all” distributions raise a number of issues because they:
- Quickly become outdated, compromising security
- Raise the chances of license conflicts in your codebase, compromising compliance
- Can result in larger application footprints, increasing the attack surface
- Install globally rather than in a virtual environment, making them prone to corruption
In contrast to these “download and forget” CE distributions, the ActiveState Platform acts a service to continually provide value by solving common issues like:
- Trojans – packages added to an environment are automatically built on demand from source, offering better security over installing potentially compromised pre-built binaries.
- Environment Corruption – automatically resolves dependencies ensuring environments never become corrupted.
- Dependency Hell – flags and offers manual solutions to dependency conflicts, eliminating dependency hell.
- Vulnerability Remediation – identify, resolve and automatically rebuild a secure environment ready to be pulled into your CI/CD pipeline in minutes.
ActiveState Platform “Service” vs CE “Product”
Because the ActiveState Platform is run as a service, it offers value over time, rather than just providing a runtime environment as with our CE products. For example, the ability to create configuration branches for dev, test, production, etc versions of your environment; the ability to roll back at any time to a previous configuration; native virtual environment support, among others that you can read about for Python and Perl.
But the most important thing the ActiveState Platform offers developers is time:
- Time saved configuring, troubleshooting, restoring and remediating environments
- Time saved from having to manually build packages from source code
- Time saved debugging and/or dealing with “works on my machine” issues
Compare that to working with any other Python or Perl distribution (including our old ActivePython CE or ActivePerl CE distributions):
- Wasted time dealing with dependencies? Yep.
- Perl Package Manager (PPM) won’t build that package for you so you have to do it manually? Sorry about that, but we do have a good reason.
- Need to investigate a critical vulnerability, patch it, and then rebuild and redeploy your environment? Of course, but it took more than a week to make it to production.
- Wasted time trying to debug an issue only to realize it was a misconfigured environment? Way too many times.
We’ve also built the ActiveState Platform in a way that fits with the existing processes organizations have been using while working with ActivePerl and ActivePython:
But it will require a bit of a learning curve as the ActiveState Platform introduces a new command line interface, the State Tool which replaces pip / PPM. To get started, you can:
- See how to create an environment with State Tool for Perl or Python
- Read the State Tool documentation
Or just sign up for a free account with your GitHub credentials and try it for yourself.
Supply Chain Security & Integrity
Because the ActiveState Platform runs as a service, it can do more than just supply the Python, Perl and Tcl components developers need – it can also ensure those components are secure and haven’t been tampered with throughout the import-build-consume process.
For example, when our ActivePerl or ActivePython CE distribution was missing a required package, developers would typically install it from CPAN (if PPM couldn’t build it) or the Python Package Index (PyPI). Since they’d typically install a prebuilt binary, this meant implicitly trusting CPAN/PyPI, which do not offer signed packages. For many organizations, this kind of security hole is a non-starter, forcing them to implement off-the-shelf products and/or custom code to create a more secure solution.
In contrast, the ActiveState Platform offers a turnkey solution to securing your open source supply chain. It imports Python, Perl and Tcl packages as source code from their respective public repositories (PyPI, CPAN, etc), as well as other popular repos, like GitHub. Indemnified packages are vetted for licensing and maintainability.
The ActiveState Platform will then build each package on demand from the imported source code using a universal build system that employs:
- Scripted builds, which ensure there is no manual intervention
- Secure build service run in Amazon Web Services (AWS)
- Ephemeral, isolated and hermetic (ie., no network access) environments for each build step
- Verifiable Reproducibility, which means that non-falsifiable provenance can be established for each built artifact
- Signing service (coming soon!) that ensures the integrity of each artifact in the build process
As an end-to-end, out-of-the-box solution, the ActiveState Platform can provide you with the capabilities you need to ensure the integrity of your open source supply chain across the entire import-built-consume process.
Conclusions: Increase Productivity & Security
The ActiveState Platform is designed to make developers more productive, while ensuring organizations can benefit from securing their open source supply chain at a time of increasing supply chain attacks.
Making the move from our Community Editions to the ActiveState Platform is as simple as installing the latest version of Python, Perl or Tcl from ActiveState. However, you should also be aware of the licensing and pricing changes that come with it.
And if you have any questions, you can always contact Sales.
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account. Or contact Sales for a free demo and let us show you how you can secure your open source supply chain today.