Last Updated: September 8, 2022

Python Artifact Repositories

In general, an artifact repository provides the ability to store “built” software and make it available for use by other systems, processes or end users. Most artifact repositories (like JFrog Artifactory, Sonatype Nexus, Google Artifact Registry, and many more) support multiple open source languages (Python, Java, JavaScript, etc) and artifacts (from containers to compiled applications to tarballs).

By contrast, the ActiveState Artifact Repository supports only the Python language and Python artifacts (wheels).  So why would you choose it over an established artifact repository? Simply put: supply chain security.

Traditional artifact repositories ingest whatever you point them at. When it comes to Python, the target is typically the Python Package Index (PyPI), which offers no guarantees as to the security and integrity of the prebuilt packages they provide. Alternatively, the source may be an internal build system that creates Python packages from source code. Unfortunately, most Python package build systems: 

  • Either create one-off builds, meaning the codebase is never updated which results in buggy, vulnerable applications over time, or
  • Generate high operational overhead due to the costs of implementing and maintaining multiple build systems, one for each OS your developers and deployment systems require.

While building all Python dependencies from source code is better than implicitly trusting PyPI, there’s still no guarantee you won’t become the next Solarwinds without the proper controls in place.

The ActiveState Artifact Repository crucially includes the ability to automatically build Python packages securely from source code (including linked C libraries) using our cloud-based, multi-OS, secure build service, and then make them available for distribution:

  • Ensure the security and integrity of the Python dependencies your developers work with.
  • Eliminate the overhead of creating and maintaining multiple build environments, one for each OS your Windows, Mac and Linux developers work with.
  • Eliminate the need to periodically audit internal build systems for compromise by utilizing a secure, cloud-based build service.
  • Track and notify users when vulnerabilities are discovered, and also automatically build the new dependency version(s) that resolve the vulnerability.

Python-centric organizations that are concerned with the costs of vendoring their own dependencies, as well as Python supply chain security may want to investigate the ways that the ActiveState Artifact Repository can help them solve key use cases.

Artifact Repository Use Cases

Artifact repositories can serve a variety of purposes across the software lifecycle. In general, repositories have a key role to play in:

  • Development: provides a central location to manage a curated set of approved open source and other third-party artifacts used in the development process.
  • CI/CD: provides a place to store built artifacts output from the CI/CD system, as well as a source to pull inputs from, such as prebuilt containers or runtimes.
  • Production: provides a central location for distributing built software artifacts such as patches, updates and applications to customers.

Specifically, the ActiveState Artifact Repository can add value in a number of common use cases, including:

  • Foster Open Source Supply Chain Security – rather than importing unsecure, prebuilt packages from PyPI, customers can use the ActiveState Platform to securely build Python packages from source code (including native libraries) and then distribute them from the ActiveState Artifact Repository. 
  • Enable Development Teams – in order to ensure reproducible environments, the ActiveState Platform acts as a single, central location where open source language runtime environments can be built, updated and distributed via the ActiveState Artifact Repository. Developers, QA, DevOps, etc can then pull the prebuilt Python packages in order to create their development environments, CI/CD containers and test environments, eliminating “works on my machine” and environment configuration issues. 
  • Create a Centralized, Curated Catalog – to ensure developers work only with approved Python packages, the ActiveState Platform acts as a single, central location for all stakeholders to evaluate new dependencies quickly, and then automatically build and make them available for use via the ActiveState Artifact Repository, dramatically shortening the approval and availability processes. 
  • Standardize Application Extensibility – ensure that customers can integrate your application with their systems, or else better tailor it to their needs by creating a standard Python deployment backed by an approved set of packages that customers can pull from the ActiveState Artifact Repository. This allows your Tech Support team to more easily reproduce issues without needing to troubleshoot the environment configuration.
  • Simplify Python Package Maintenance – updates to a codebase too often result in breaking the build, but unupdated codebases increase security and performance/stability risks as unresolved vulnerabilities and bugs accumulate. ActiveState can maintain the Python dependencies your application requires on your behalf, allowing you to recover lost time and resources previously spent managing and maintaining dependencies.

All artifacts in the ActiveState Artifact Repository are created as standard Python wheels, which means your team can install them using Python’s default package manager, pip, just as if they were installing from a far more secure version of PyPI. 

See how it works:

Next steps:

Want to try out the ActiveState Artifact Repository? We can spin one up for you to test out for any Python 3.8 or later project you create on the  ActiveState Platform. For more information Contact Sales

Dana Crane

Dana Crane

Experienced Product Marketer and Product Manager with a demonstrated history of success in the computer software industry. Strong skills in Product Lifecycle Management, Pragmatic Marketing methods, Enterprise Software, Software as a Service (SaaS), Agile Methodologies, Customer Relationship Management (CRM), and Go-to-market Strategy.