Datasheet: Dependency Vendoring Without the Work – ActiveState Managed Distributions

managed distributions Cover

Dependency Vendoring Without the Work – ActiveState Managed Distributions

Download Datasheet

ActiveState Managed Distributions

Managing open source language dependencies is time and resource intensive, especially for organizations that have adopted dependency vendoring. As a result, your developers spend significant amounts of time on low-value dependency management tasks, rather than coding high-value features. ActiveState’s managed distributions can help you alleviate this pain, so that your developers can focus on getting new features out the door, rather than worrying about outdated, vulnerable or incompatible dependencies.

Dependency vendoring is a strategy that checks third-party software source code directly into your product’s codebase. In practical terms, that means adopting open source dependencies into your source control system (rather than relying on a package manager to install dependencies on demand), as well as all the extra work that comes with it. But what if you could make that extra work somebody else’s problem? 

Costs of Dependency Vendoring

While dependency vendoring helps you avoid dependency conflicts and broken builds, it also requires you to “own” what was once managed by third party, open source developers. The result is more work for your software development teams, including:

  • Building Dependencies – to ensure security, packages, transitive dependencies and native libraries must be built from source code for each OS your developers work with. This requires time, as well as language and OS expertise your teams may not have. 
  • Remediating/Updating Dependencies – dependencies are rarely updated (per Veracode’s report here) for fear of breaking the build, but also because velocity points for a sprint are often better spent elsewhere. This can lead to buggy codebases riddled with security holes.
  • Clutter – vendoring dependencies creates a very large source tree, which can make tasks like code review, license audits or even checking out the codebase more difficult than they should be.
  • Ownership – developers that check dependencies into the source tree may be required by other teams to fix, update, patch or otherwise manage them on their behalf, further acting as a drag on the productivity of your best resources. 

While there are a number of tools and processes that can help manage the workload, much of the automation they offer is only minimally effective. For example, it’s one thing to be notified of a vulnerability and a newer version of the dependency that resolves it, but quite another to build it, ensure it works with your existing runtime environment, package it, and then update all your existing configurations. In practice, this kind of self-serve automation really means your valuable, expensive resources end up dedicating a large chunk of their time to continuously managing dependencies rather than revenue-generating activities, thereby increasing operational costs and time to market.

Dependency Vendoring Without the Work

In contrast, ActiveState’s managed distributions offering takes much of the non-differentiating dependency management work off your hands so your developers can focus on delivering differentiating features and functionality instead. While our tools can also be used in a self-serve manner, many of our customers prefer to delegate the work to ActiveState’s open source language experts who have been helping enterprises manage their open source languages for more than twenty years.

Self-vendoring is a proven solution for reducing security risk and avoiding version conflicts, but creating the infrastructure to allow you to vendor your dependencies at scale AND remain responsive is cost prohibitive. This strategy becomes exponentially more difficult to maintain in diverse environments, which can significantly impact time to market. Enhance the productivity and efficiency of your teams by outsourcing your dependency management to ActiveState.

ActiveState’s managed distributions service includes:

  • Vetting your dependencies from our catalog of third-party dependencies to ensure security, maintainability and appropriate licensing according to your corporate guidelines. 
  • Securely building your set of required dependencies from source code, including native libraries, using our tamper-proof secure build service.
  • Packaging your set of dependencies for all target operating systems, ensuring reproducible environments that contain only dependencies that work together.
  • Optionally making your built dependencies available via our artifact repository for easier management and distribution.
  • Monitoring dependencies for vulnerabilities, datedness, and creating a fork with the updated dependencies for you to take at any time.
  • Maintaining a catalog of dependencies and transitive/operating system dependencies over time so you can always reproduce the build.
  • Optionally providing security fixes for dependencies from EOL languages, like Python 2.

To learn more about ActiveState’s managed distributions, contact our solutions experts.

managed distributions Cover

Recent Posts

Webinar - Securing Python and Open Source Ecosystems
Securing Python and Open Source Ecosystems

Dustin Ingram, Fellow at the Python Software Foundation (PSF), joins us to discuss trust and security for PyPI and other repositories in light of recent supply chain attacks, and steps being taken to secure the open source ecosystem.

Read More
Scroll to Top