FAQs - Curated Catalog
General Questions
What is the ActiveState Curated Catalog for Python?
The ActiveState Curated Catalog is a private Python package repository containing packages specifically built and vetted for your organization by the ActiveState Platform. Unlike a PyPI mirror that provides access to all public packages, your catalog contains only the packages you've requested and we've approved, built, and tested for your environment.
Key characteristics:
- Packages built by ActiveState Platform for your organization
- Security-vetted and tested before inclusion
- Reproducible builds (same packages, every time)
- Accessed via your repository manager (Nexus/Artifactory)
- No arbitrary PyPI.org access
What packages can I expect to find in my curated catalog?
Your catalog contains exactly what you've requested and we've agreed upon during the contracting process:
- Packages from your requirements.txt or package list
- Dependencies of those packages (automatically included)
- Specific versions you requested
- Packages built for your target operating system(s)
If you need additional packages, submit a request through your account manager or support channel.
How do I request new packages?
Contact your ActiveState account manager or submit a request via your support portal with:
- Package name(s)
- Version or version range
- Business justification
- Target operating system(s)
- Any security/compliance requirements
ActiveState will review, build, test, and upload approved packages to your catalog. Typical turnaround: 1-3 business days depending on complexity.
Why can't I access arbitrary PyPI.org packages?
This is a curated catalog, not a PyPI mirror. This model provides:
- Security: All packages vetted before you can use them
- Compliance: Meets organizational security/legal requirements
- Stability: No surprise updates breaking your builds
- Support: ActiveState supports the packages we provide
If you need a package not in your catalog, request it through the standard process.
Do I need a repository manager?
Yes, we strongly recommend (and require for support) using a repository manager such as:
- Sonatype Nexus (Community or Pro editions)
- JFrog Artifactory (any edition)
Repository managers provide:
- Local caching (faster, avoids rate limits)
- Offline access to previously cached packages
- Artifact management and lifecycle policies
- Integration with your existing tooling
- Better developer experience
Note: While technically possible to use pip directly, ActiveState only provides support for configurations using repository managers.
What if I already have a repository manager with public PyPI?
Do NOT mix the ActiveState catalog with public PyPI in the same Virtual (Artifactory) or Group (Nexus) repository.
Correct configuration:
- Separate Remote/Proxy repo for ActiveState:
https://repository.activestate.com/<org-id>/pypi - Separate Remote/Proxy repo for public PyPI:
https://pypi.org(if needed) - Create different Virtual/Group repos AND ensure ActiveState is never mixed with pypi.org in the same Virtual/Group
Why separate?
- ActiveState catalog is curated and controlled
- Mixing with public PyPI bypasses the curation model
- Name collisions possible
- Makes it unclear which packages are vetted
Exception: You may include your own internal/hosted repositories in the same Virtual/Group repo as the ActiveState catalog.
Setup and Configuration
How do I set up Nexus?
See the "Nexus Repository Manager Setup" section below for complete step-by-step instructions.
How do I set up Artifactory?
See the "Artifactory Repository Manager Setup" section below for complete step-by-step instructions.
What URL should I use in my repository manager?
Correct format: https://repository.activestate.com/<org-id>/pypi
Common mistakes:
- ❌ Adding
/simple/suffix →https://repository.activestate.com/<org-id>/pypi/simple/ - ❌ Adding trailing slash inconsistently
Note: Repository managers (Nexus/Artifactory) automatically append /simple/<package>/ when making requests. Always use the base index URL.
What are my credentials?
- Username: Your ActiveState Platform organization ID (UUID format)
- Password: Provided securely by ActiveState during onboarding
- Format: Both are alphanumeric (safe for URLs)
Example username: b5865a43-1f24-48df-b6f3-8c932c7aae29
Security: Store credentials in your repository manager configuration. Do not commit to source control or share publicly.
If you need your credentials or account information, contact your ActiveState representative or visit our contact us page.
Troubleshooting
Why can we not retrieve any Python packages from https://repository.activestate.com?
Not using a repository manager:
- We strongly recommend repository managers (Nexus/Artifactory) for ALL organizations, regardless of size
- Organizations choosing not to use a repository manager are expected to be knowledgeable enough about PyPI repositories to diagnose and solve problems independently
- ActiveState does NOT provide support for configurations without repository managers
- Most troubleshooting guidance below assumes repository manager use
Mixing with public PyPI (UNSUPPORTED):
- If using Virtual (Artifactory) or Group (Nexus) repositories that combine multiple Remote/Proxy repositories, ActiveState DOES NOT support this configuration
https://repository.activestate.comMUST be the SOLE Remote/Proxy repository in your Virtual/Group repositories- Exception: You may include your own Local/Hosted repositories alongside the ActiveState catalog
- Your packages share a global namespace with ActiveState catalog packages
- Exercise caution with package naming to avoid collisions
- Mention this configuration when communicating with ActiveState support
Common diagnostic steps:
-
Check Artifactory permissions (Artifactory only):
- Users MUST have "Deploy/Cache" permission on Remote repository
- Without this permission, Artifactory returns 403 or 404 errors
- This is the most common Artifactory issue
-
Check for 401 (authentication) errors in repository manager logs:
- Normal: Nexus sends request without auth, gets 401, retries with auth (HTTP challenge-response)
- Problem: Two consecutive 401 responses = incorrect credentials configured
- Verify credentials in repository manager match what ActiveState provided
-
Check for 429 (rate limit) errors in repository manager logs:
- Indicates caching disabled or forwarding all requests to ActiveState
- Enable caching in repository manager (critical)
- Check for evidence of misuse:
- Very high request volume with many cache misses
- All metadata/HEAD requests forwarded to ActiveState
- Malicious clients with compromised credentials
- Contact ActiveState if legitimate high volume persists after enabling caching
-
Check for 403 (forbidden) errors in repository manager logs:
- Indicates incorrect URL in repository manager configuration
- Repository manager constructs invalid request URLs
- Verify: URL should be
https://repository.activestate.com/<org-uuid>/pypi - Do NOT append
/simpleor/simple/suffix
-
Check for 404 (not found) errors in repository manager logs:
- Package not available in your ActiveState curated catalog
- Package may need to be requested and built by ActiveState
- When reporting to ActiveState, provide:
- Original package installation command
- Whether this is a direct dependency or transitive dependency
- Specific version or version range required
- Any error messages from your package manager
-
Consider operating system compatibility:
- Packages are built for specific operating systems
- Default builds: Linux AND Windows (both platforms provided)
- macOS builds: Only if explicitly requested during requirements gathering
- Pure Python packages (no compiled extensions) generally work on all platforms, but may have platform-specific behavior or requirements/dependencies
- Packages with C extensions are platform-specific but both Linux and Windows versions are included
- Contact ActiveState if you need macOS builds
Why is pip/Nexus/Artifactory getting 401 errors?
Initial 401 is normal: Repository managers use HTTP challenge-response authentication. They send a request without credentials first, receive 401, then retry with credentials. This is standard behavior.
Persistent 401 errors indicate:
- Incorrect credentials configured in repository manager
- Credentials not saved properly
- Wrong username format (should be organization UUID)
- Typo when entering credentials
To diagnose:
- Check repository manager logs for two consecutive 401s (indicates credential problem)
- Verify credentials in repository manager configuration
- Test credentials directly:
Should return HTTP 200 with HTML package index
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/
Resolution: Have customer re-enter credentials carefully, or request fresh credentials from ActiveState.
Why is Nexus/Artifactory returning 404 for packages?
For package index (/simple/package-name/):
- Package not in customer's curated catalog
- Typo in package name (check spelling, hyphens vs underscores)
- Package not yet built/uploaded by ActiveState
For package files (.whl, .tar.gz):
- Check repository manager logs for upstream errors
- Verify package exists in simple index first
- For Nexus: hash lookup service converts
/packages/URLs to DevPI's internal format - if this fails, downloads fail
To diagnose:
- Check if package exists in catalog:
curl -u <org-id>:<password> \
https://repository.activestate.com/<org-id>/pypi/simple/<package-name>/ - If package exists but files won't download, check repository manager logs for errors
- If package doesn't exist, request it from ActiveState
Resolution: Request ActiveState build and upload missing package.
Why are we getting 429 rate limit errors?
Rate limit: 2000 requests per 5 minutes per IP address
Causes:
- Caching disabled on repository manager (most common - forwarding all requests)
- Very high CI/CD parallelism without cache warmup
- Metadata requests not being cached
- Multiple teams/projects hitting simultaneously
Solutions:
- Enable caching in repository manager (CRITICAL):
- Nexus: Default is enabled, check for overrides in repository config
- Artifactory: Verify "Store Artifacts Locally" is enabled
- Increase cache TTL for metadata to reduce upstream queries
- Check for abuse: Unusual request patterns, compromised credentials
- Contact ActiveState: If legitimate high volume persists after enabling caching
To diagnose:
- Check repository manager cache hit ratio (should be >80% after warmup)
- Review repository manager logs for upstream request patterns
- Identify which clients are making excessive requests
- Verify caching is actually enabled and working
Resolution: Enable caching (fixes 90% of rate limit issues).
Why am I getting 403 Forbidden errors?
Common causes:
- Incorrect URL in repository manager:
- Should be:
https://repository.activestate.com/<org-id>/pypi - No
/simple/suffix - Repository managers append this automatically
- Should be:
- Artifactory permissions (Artifactory only):
- User needs "Deploy/Cache" permission on Remote repository
- This is required for Artifactory to cache upstream packages
- Wrong organization ID: Attempting to access another organization's catalog
To diagnose:
- Verify URL in repository manager configuration exactly matches what ActiveState provided
- Test credentials directly:
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/ - Check Artifactory user permissions (Artifactory only)
Resolution: Correct URL format or grant Deploy/Cache permission.
How do I know if packages are being cached?
Nexus:
- Admin → Support → System Information → Look for cache statistics
- Admin → Repository → Browse → Check for cached artifacts
- Logs: Look for cache hits vs upstream requests
Artifactory:
- Admin → Artifactory → Storage → Repository Stats
- Check "Artifacts Count" increasing after pip installs
- Browse repository via web UI to see cached files
General test:
- Install package:
pip install <package> - Clear local pip cache:
pip cache purge - Install same package again:
pip install <package> - Second install should be much faster (served from repository manager cache)
- Check repository manager logs: Should show cache hit, NOT upstream request to ActiveState
Expected cache hit ratio: >80% after initial warmup period.
Can I use pip directly without a repository manager?
Technically yes, but this is NOT SUPPORTED:
pip install --index-url https://<org-id>:<password>@repository.activestate.com/<org-id>/pypi/simple/ <package>
Why not recommended:
- No caching (slower, hits rate limits)
- Credentials exposed in command history/logs
- No offline access to packages
- No artifact lifecycle management
- ActiveState does NOT provide support for this configuration
Policy: We require customers to use repository managers for supported configurations.
How do I test if everything is working?
Via repository manager UI:
- Log into Nexus/Artifactory web interface
- Navigate to your ActiveState repository
- Click "Browse" or "Artifacts"
- Should see package list from simple index
- Click on a package to see available versions/files
Via pip (using repository manager):
# Nexus example
pip install --no-cache-dir --index-url https://admin:admin123@nexus.company.com/repository/activestate/simple/ <package-name>
# Artifactory example
pip install --no-cache-dir --index-url https://user:pass@artifactory.company.com/artifactory/api/pypi/activestate/simple/ <package-name>
Via curl (direct test, bypassing repository manager):
# List all packages in catalog
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/
# List specific package versions
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/<package-name>/
What operating systems are supported?
Default builds:
- Linux ✅ (most common, broadest package availability)
- Windows ✅ (included by default)
- macOS ❌ (NOT built by default)
Requesting macOS builds:
- If customer needs macOS support, this must be explicitly stated during requirements gathering
- Include in package request: "Customer requires macOS builds"
- ActiveState will build for macOS in addition to Linux/Windows
Cross-platform compatibility:
- Pure Python packages (no compiled extensions): Work on all platforms, generally
- Packages with C extensions: Platform-specific (wheel files include platform in filename)
- Wheels (
.whl): Platform-specific, named accordingly (e.g.,cp312-cp312-manylinux,cp312-cp312-win_amd64,cp312-cp312-macosx) - Source distributions (
.tar.gz): May work cross-platform if customer has build tools installed (not recommended for production)
Common scenarios:
- Package built for Linux won't work on Windows and vice versa
- Packages built for Linux may work on macOS (but not guaranteed)
- If customer needs multi-OS support, specify ALL required platforms upfront
Can I upload my own packages?
No, organization accounts are read-only. Only the ActiveState Platform team can upload packages to your catalog.
Why?
- Maintains security vetting process
- Ensures all packages meet compliance requirements
- Prevents accidental/malicious package uploads
- Keeps catalog curated and controlled
If customer needs internal/private packages:
- Option A (preferred): Request ActiveState build and upload them
- Submit to ActiveState like any other package request
- Goes through same vetting/build process
- Option B: Host in separate local repository in their repository manager
- Customer creates hosted/local PyPI repository for internal packages
- Can include in same Virtual/Group repo as ActiveState catalog
- Warning: Package names share global namespace - avoid collisions
- Document this configuration when communicating with support
Do passwords expire?
No, passwords do NOT expire automatically. They remain valid until:
- Customer requests password reset from ActiveState
- Organization account is deactivated
- Security incident requires rotation
Best practices for customers:
- Store securely in repository manager configuration (not in source control)
- Rotate periodically per organizational security policies
- Contact ActiveState to rotate - we'll update credentials
What are the rate limits?
Rate limit: 2000 requests per 5 minutes per IP address
This should NOT be a problem if:
- Repository manager caching is enabled (most important)
- Using repository manager (not direct pip access)
- Normal development/CI workflows
You may hit limits if:
- Caching disabled on repository manager
- Extremely high CI parallelism without cache warmup
- Multiple teams/projects hitting simultaneously without cache
- Using
pip install --no-cache-dir(don't do this!)
Solution: Enable and verify repository manager caching is working.
Can I have multiple repository managers point to my catalog?
Yes! Common scenarios:
- Production Nexus and Development Nexus
- Multiple Artifactory instances across regions/datacenters
- DR/failover repository managers
Best practices:
- Use same credentials on all repository managers (one ActiveState organization ID to one set of credentials)
- Enable caching on ALL instances
- Consider cache warming strategies for new instances
- Monitor aggregate request rate across all instances (counts toward rate limit)
Note: All repository managers from same organization count toward the 2000 requests/5min limit.
What happens if ActiveState's service is down?
Your repository manager's cache continues to serve previously cached packages:
- ✅ Developers can install previously cached packages
- ✅ CI/CD can build with cached dependencies
- ❌ New packages not previously cached will fail
- ❌ First-time installations won't work
Recommendations for customers:
- Keep repository manager cache warm with common/critical packages
- Test critical builds periodically to ensure cache coverage
- Consider repository manager backup/replication strategies
- Monitor cache hit ratios
ActiveState SLO: 99% uptime (~7.3 hours downtime per month maximum), including scheduled weekly maintenance windows (Sundays 2:00-3:15 AM UTC).