Published: January 12, 2022Last Updated: January 13, 2022

Introducing Trusted Open Source Artifact Subscription for JFrog Artifactory

With the JFrog Artifactory integration, we’ve made it easy to automatically populate Artifactory with trustworthy, up-to-date open source Python packages, as well as other open source language artifacts in the ActiveState Platform. 

No more waiting. No more slow-downs. No more limited catalog sizes. No more re-inventing the wheel.

Just select the open source packages and versions needed, and ActiveState populates your Artifactory instance with trustworthy artifacts.

Why should you trust ActiveState’s Artifacts? At a high level, this means that you can trust that the artifact is built from the specified source code. More specifically, the ActiveState Platform’s secure build service implements scripted builds from vetted source code that occur inside of ephemeral, isolated and hermetically sealed (ie., no internet access) containers purpose-built to perform a single function, reducing the potential for compromise.

The output is a verifiably reproducible build, where not only do the same inputs produce the same outputs every time, but whose provenance can also be verified by tracing each component back to its original source.

Your developers won’t even need to change tools or learn a new workflow.

Industry Evolution: Security-First Open Source

Open source organizations are making great strides to improve the security of their public repositories, but the reality is that they are still the wild west where anything goes.

Public repositories are just that: public, which means anyone can upload whatever code they want. While most public repositories have implemented 2-factor authentication to limit author impersonation, they have yet to verify and sign the code they offer. Thus, no guarantees are offered as to whether prebuilt packages are malware-free.

However, our recent Supply Chain Security Survey results indicate that a worryingly high proportion of organizations continue to implicitly trust open source repositories. Starting with our Artifactory offering, ActiveState is looking to help enterprises overcome these limitations in order to improve the security and integrity of their software development processes.

Enterprise Need: Secure Open Source Artifacts 

Organizations spend extensive time and resources to ensure the security and integrity of the open source artifacts their developers work with. But managing open source language artifacts in Artifactory is a low-return task.  

Done well, it’s expensive and time-consuming. It decreases risk, but offers little actual business value or leverage. It’s like pushing a rock uphill. As soon as you stop, gravity wins. Done with less care, it hinders both innovation and security, with cascading  negative consequences:

  • Development has reduced access to empowering new technology and is forced to duplicate effort or wait for reviews.
  • Delays in adoption of new releases increase exposure to risk and force developers to delay planned high-value work to address vulnerabilities.

ActiveState’s Trusted Artifact offering can help enterprises dramatically decrease the risk and overhead of managing open source language packages in Artifactory by providing developers with secure versions of the open source packages they need, and updating them on a regular basis.

How it works: ActiveState’s Trusted Artifacts

The short answer is that we’ve built systems to address gaps in how PyPI and other public open source language repositories work (all based on 20+ years of building open source language artifacts and distributions for enterprises.)

Some of the key parts are:

  • A vetting and ingestion process to weed out bad packages.
  • An integral supply chain that archives all the source code and protects it from tampering, as extras like providing provenance data via an API.
  • A cross-platform build system that generates trustworthy artifacts in a repeatable way (and that generates detailed machine-readable Software Bill of Materials (SBOMs))
  • A CVE-aware dependency resolution system that makes vulnerability remediation typically a question of hours instead of days or weeks.

As a result, you get an Artifactory instance that is populated with secure, verifiable and up-to-date packages that can be installed with the native package manager.

Next steps

Understand how ActiveState can help you decrease the risk and overhead of managing open source language packages in Artifactory. Let us walk you through how the solution can fit your team’s (or teams’) needs.

Talk to our product experts >

Need to share this information with others in your team? Download our Solution Sheet that lists the benefits and features ActiveState’s Trusted Artifact Subscription brings.

Want to learn more about the ActiveState Platform? Read how it can:

Loreli Cadapan

Loreli Cadapan

Loreli is a Silicon Valley veteran, with 20+ years of experience in enterprise software and a deep understanding of the software supply chain and continuous software delivery.  Before joining ActiveState as its VP Product, she held product management and technology roles in DevOps (most recently at JFrog and Oracle). Loreli is passionate about building products to power the world’s software development teams and accelerate their digital transformation.