FAQs - Curated Catalog

General Questions

What is the ActiveState Curated Catalog for Python?

The ActiveState Curated Catalog is a private Python package repository containing packages specifically built and vetted for your organization by the ActiveState Platform. Unlike a PyPI mirror that provides access to all public packages, your catalog contains only the packages you’ve requested and we’ve approved, built, and tested for your environment.

Key characteristics:

• Packages built by ActiveState Platform for your organization
• Security-vetted and tested before inclusion
• Reproducible builds (same packages, every time)
• Accessed via your repository manager (Nexus/Artifactory)
• No arbitrary PyPI.org access

What packages can I expect to find in my curated catalog?

Your catalog contains exactly what you’ve requested and we’ve agreed upon during the contracting process:

• Packages from your requirements.txt or package list
• Dependencies of those packages (automatically included)
• Specific versions you requested
• Packages built for your target operating system(s)

If you need additional packages, submit a request through your account manager or support channel.

How do I request new packages?

Contact your ActiveState account manager or submit a request via your support portal with:

• Package name(s)
• Version or version range
• Business justification
• Target operating system(s)
• Any security/compliance requirements

ActiveState will review, build, test, and upload approved packages to your catalog. Typical turnaround: 1-3 business days depending on complexity.

Why can’t I access arbitrary PyPI.org packages?

This is a curated catalog, not a PyPI mirror. This model provides:

• Security: All packages vetted before you can use them
• Compliance: Meets organizational security/legal requirements
• Stability: No surprise updates breaking your builds
• Support: ActiveState supports the packages we provide

If you need a package not in your catalog, request it through the standard process.

Do I need a repository manager?

Yes, we strongly recommend (and require for support) using a repository manager such as:

• Sonatype Nexus (Community or Pro editions)
• JFrog Artifactory (any edition)

Repository managers provide:

• Local caching (faster, avoids rate limits)
• Offline access to previously cached packages
• Artifact management and lifecycle policies
• Integration with your existing tooling
• Better developer experience

Note: While technically possible to use pip directly, ActiveState only provides support for configurations using repository managers.

What if I already have a repository manager with public PyPI?

Do NOT mix the ActiveState catalog with public PyPI in the same Virtual (Artifactory) or Group (Nexus) repository.

Correct configuration:

• Separate Remote/Proxy repo for ActiveState: https://repository.activestate.com/<your-org-id>/pypi
• Separate Remote/Proxy repo for public PyPI: https://pypi.org (if needed)
• Create different Virtual/Group repos AND ensure ActiveState is never mixed with pypi.org in the same Virtual/Group

Why separate?

• ActiveState catalog is curated and controlled
• Mixing with public PyPI bypasses the curation model
• Name collisions possible
• Makes it unclear which packages are vetted

Exception: You may include your own internal/hosted repositories in the same Virtual/Group repo as the ActiveState catalog.

Setup and Configuration

How do I set up Nexus?

See the “Nexus Repository Manager Setup” section below for complete step-by-step instructions.

How do I set up Artifactory?

See the “Artifactory Repository Manager Setup” section below for complete step-by-step instructions.

What URL should I use in my repository manager?

Correct format: https://repository.activestate.com/<your-organization-id>/pypi

Example: https://repository.activestate.com/b5865a43-1f24-48df-b6f3-8c932c7aae29/pypi

Common mistakes:

• ❌ Adding /simple/ suffix → https://repository.activestate.com/<org-id>/pypi/simple/
• ❌ Adding trailing slash inconsistently

Note: Repository managers (Nexus/Artifactory) automatically append /simple/<package>/ when making requests. Always use the base index URL.

What are my credentials?

• Username: Your ActiveState Platform organization ID (UUID format)
• Password: Provided securely by ActiveState during onboarding
• Format: Both are alphanumeric (safe for URLs)

Example username: b5865a43-1f24-48df-b6f3-8c932c7aae29

Security: Store credentials in your repository manager configuration. Do not commit to source control or share publicly.

Troubleshooting

Why can we not retrieve any Python packages from https://repository.activestate.com?

Not using a repository manager:

• We strongly recommend repository managers (Nexus/Artifactory) for ALL organizations, regardless of size
• Organizations choosing not to use a repository manager are expected to be knowledgeable enough about PyPI repositories to diagnose and solve problems independently
• ActiveState does NOT provide support for configurations without repository managers
• Most troubleshooting guidance below assumes repository manager use

Mixing with public PyPI (UNSUPPORTED):

• If using Virtual (Artifactory) or Group (Nexus) repositories that combine multiple Remote/Proxy repositories, ActiveState DOES NOT support this configuration
• https://repository.activestate.com MUST be the SOLE Remote/Proxy repository in your Virtual/Group repositories
• Exception: You may include your own Local/Hosted repositories alongside the ActiveState catalog
  • Your packages share a global namespace with ActiveState catalog packages
  • Exercise caution with package naming to avoid collisions
  • Mention this configuration when communicating with ActiveState support

Common diagnostic steps:

1. Check Artifactory permissions (Artifactory only):

   • Users MUST have “Deploy/Cache” permission on Remote repository
   • Without this permission, Artifactory returns 403 or 404 errors
   • This is the most common Artifactory issue

2. Check for 401 (authentication) errors in repository manager logs:

   • Normal: Nexus sends request without auth, gets 401, retries with auth (HTTP challenge-response)
   • Problem: Two consecutive 401 responses = incorrect credentials configured
   • Verify credentials in repository manager match what ActiveState provided

3. Check for 429 (rate limit) errors in repository manager logs:

   • Indicates caching disabled or forwarding all requests to ActiveState
   • Enable caching in repository manager (critical)
   • Check for evidence of misuse:
     • Very high request volume with many cache misses
     • All metadata/HEAD requests forwarded to ActiveState
     • Malicious clients with compromised credentials
   • Contact ActiveState if legitimate high volume persists after enabling caching

4. Check for 403 (forbidden) errors in repository manager logs:

   • Indicates incorrect URL in repository manager configuration
   • Repository manager constructs invalid request URLs
   • Verify: URL should be https://repository.activestate.com/<org-uuid>/pypi
   • Do NOT append /simple or /simple/ suffix
   • Example correct format: https://repository.activestate.com/97c5907a-3d97-40ba-8e68-0b4006b15bb5/pypi

5. Check for 404 (not found) errors in repository manager logs:

   • Package not available in your ActiveState curated catalog
   • Package may need to be requested and built by ActiveState
   • When reporting to ActiveState, provide:
     • Original package installation command
     • Whether this is a direct dependency or transitive dependency
     • Specific version or version range required
     • Any error messages from your package manager

Note for CS team: Escalate missing packages to DE team with full context from customer.

6. Consider operating system compatibility:
   • Packages are built for specific operating systems
   • Default builds: Linux AND Windows (both platforms provided)
   • macOS builds: Only if explicitly requested during requirements gathering
   • Pure Python packages (no compiled extensions) generally work on all platforms, but may have platform-specific behavior or requirements/dependencies
   • Packages with C extensions are platform-specific but both Linux and Windows versions are included
   • Contact ActiveState if you need macOS builds

Note for CS team: When submitting package requests to DE team, explicitly specify if macOS builds are required.

Why is pip/Nexus/Artifactory getting 401 errors?

Initial 401 is normal: Repository managers use HTTP challenge-response authentication. They send a request without credentials first, receive 401, then retry with credentials. This is standard behavior.

Persistent 401 errors indicate:

• Incorrect credentials configured in repository manager
• Credentials not saved properly
• Wrong username format (should be organization UUID)
• Typo when entering credentials

To diagnose:

1. Check repository manager logs for two consecutive 401s (indicates credential problem)
2. Verify credentials in repository manager configuration
3. Test credentials directly:

   curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/
   

   Should return HTTP 200 with HTML package index

Resolution: Have customer re-enter credentials carefully, or request fresh credentials from ActiveState.

Note for CS team: To provide fresh credentials, request password from TI team via AWS Secrets Manager.

Why is Nexus/Artifactory returning 404 for packages?

For package index (/simple/package-name/):

• Package not in customer’s curated catalog
• Typo in package name (check spelling, hyphens vs underscores)
• Package not yet built/uploaded by ActiveState

For package files (.whl, .tar.gz):

• Check repository manager logs for upstream errors
• Verify package exists in simple index first
• For Nexus: hash lookup service converts /packages/ URLs to DevPI’s internal format - if this fails, downloads fail

To diagnose:

1. Check if package exists in catalog:

   curl -u <org-id>:<password> \
     https://repository.activestate.com/<org-id>/pypi/simple/<package-name>/
   

2. If package exists but files won’t download, check repository manager logs for errors
3. If package doesn’t exist, request it from ActiveState

Resolution: Request ActiveState build and upload missing package.

Note for CS team: Submit package request to DE team with details (package name, version, OS requirements).

Why are we getting 429 rate limit errors?

Rate limit: 2000 requests per 5 minutes per IP address

Note for CS team: This is enforced by CloudFront CDN.

Causes:

• Caching disabled on repository manager (most common - forwarding all requests)
• Very high CI/CD parallelism without cache warmup
• Metadata requests not being cached
• Multiple teams/projects hitting simultaneously

Solutions:

1. Enable caching in repository manager (CRITICAL):
   • Nexus: Default is enabled, check for overrides in repository config
   • Artifactory: Verify “Store Artifacts Locally” is enabled
2. Increase cache TTL for metadata to reduce upstream queries
3. Check for abuse: Unusual request patterns, compromised credentials
4. Contact ActiveState: If legitimate high volume persists after enabling caching

Note for CS team: If customer contacts about 429 errors, escalate to TI team for rate limit review.

To diagnose:

1. Check repository manager cache hit ratio (should be >80% after warmup)
2. Review repository manager logs for upstream request patterns
3. Identify which clients are making excessive requests
4. Verify caching is actually enabled and working

Resolution: Enable caching (fixes 90% of rate limit issues).

Why am I getting 403 Forbidden errors?

Common causes:

1. Incorrect URL in repository manager:
   • Should be: https://repository.activestate.com/<org-id>/pypi
   • No /simple/ suffix
   • Repository managers append this automatically
2. Artifactory permissions (Artifactory only):
   • User needs “Deploy/Cache” permission on Remote repository
   • This is required for Artifactory to cache upstream packages
3. Wrong organization ID: Attempting to access another organization’s catalog

To diagnose:

1. Verify URL in repository manager configuration exactly matches what ActiveState provided
2. Test credentials directly:

   curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/
   

3. Check Artifactory user permissions (Artifactory only)

Resolution: Correct URL format or grant Deploy/Cache permission.

How do I know if packages are being cached?

Nexus:

• Admin → Support → System Information → Look for cache statistics
• Admin → Repository → Browse → Check for cached artifacts
• Logs: Look for cache hits vs upstream requests

Artifactory:

• Admin → Artifactory → Storage → Repository Stats
• Check “Artifacts Count” increasing after pip installs
• Browse repository via web UI to see cached files

General test:

1. Install package: pip install <package>
2. Clear local pip cache: pip cache purge
3. Install same package again: pip install <package>
4. Second install should be much faster (served from repository manager cache)
5. Check repository manager logs: Should show cache hit, NOT upstream request to ActiveState

Expected cache hit ratio: >80% after initial warmup period.

Can I use pip directly without a repository manager?

Technically yes, but NOT SUPPORTED:

pip install --index-url https://<org-id>:<password>@repository.activestate.com/<org-id>/pypi/simple/ <package>

Why not recommended:

• No caching (slower, hits rate limits)
• Credentials exposed in command history/logs
• No offline access to packages
• No artifact lifecycle management
• ActiveState does NOT provide support for this configuration

Policy: We require customers to use repository managers for supported configurations.

How do I test if everything is working?

Via repository manager UI:

1. Log into Nexus/Artifactory web interface
2. Navigate to your ActiveState repository
3. Click “Browse” or “Artifacts”
4. Should see package list from simple index
5. Click on a package to see available versions/files

Via pip (using repository manager):

# Nexus example
pip install --no-cache-dir --index-url https://admin:admin123@nexus.company.com/repository/activestate/simple/ <package-name>

# Artifactory example
pip install --no-cache-dir --index-url https://user:pass@artifactory.company.com/artifactory/api/pypi/activestate/simple/ <package-name>

Via curl (direct test, bypassing repository manager):

# List all packages in catalog
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/

# List specific package versions
curl -u <org-id>:<password> https://repository.activestate.com/<org-id>/pypi/simple/<package-name>/

What operating systems are supported?

Default builds (DE team builds these automatically):

• Linux ✅ (most common, broadest package availability)
• Windows ✅ (included by default)
• macOS ❌ (NOT built by default)

Requesting macOS builds:

• If customer needs macOS support, CS must explicitly request this from DE team during requirements gathering
• Include in package request: “Customer requires macOS builds”
• ActiveState will build for macOS in addition to Linux/Windows

Note for TI team: DevPI is OS-agnostic (stores packages for all platforms). TI does not generally need OS information. DE does.

Cross-platform compatibility:

• Pure Python packages (no compiled extensions): Work on all platforms, generally
• Packages with C extensions: Platform-specific (wheel files include platform in filename)
• Wheels (.whl): Platform-specific, named accordingly (e.g., cp312-cp312-manylinux, cp312-cp312-win_amd64, cp312-cp312-macosx)
• Source distributions (.tar.gz): May work cross-platform if customer has build tools installed (not recommended for production)

Common scenarios:

• Package built for Linux won’t work on Windows and vice versa
• Packages built for Linux may work on macOS (but not guaranteed)
• If customer needs multi-OS support, specify ALL required platforms upfront

Can I upload my own packages?

No, organization accounts are read-only. Only the ActiveState Platform (DE team) can upload packages to your catalog.

Why?

• Maintains security vetting process
• Ensures all packages meet compliance requirements
• Prevents accidental/malicious package uploads
• Keeps catalog curated and controlled

If customer needs internal/private packages:

1. Option A (preferred): Request ActiveState build and upload them
   • Submit to ActiveState like any other package request
   • Goes through same vetting/build process
2. Option B: Host in separate local repository in their repository manager
   • Customer creates hosted/local PyPI repository for internal packages
   • Can include in same Virtual/Group repo as ActiveState catalog
   • Warning: Package names share global namespace - avoid collisions
   • Document this configuration when communicating with support

Do passwords expire?

No, passwords do NOT expire automatically. They remain valid until:

• Customer requests password reset from ActiveState
• Organization account is deactivated
• Security incident requires rotation

Best practices for customers:

• Store securely in repository manager configuration (not in source control)
• Rotate periodically per organizational security policies
• Contact ActiveState to rotate - we’ll update credentials

For CS team: If customer requests password rotation, submit request to TI team.

What are the rate limits?

Rate limit: 2000 requests per 5 minutes per IP address

This should NOT be a problem if:

• Repository manager caching is enabled (most important)
• Using repository manager (not direct pip access)
• Normal development/CI workflows

You may hit limits if:

• Caching disabled on repository manager
• Extremely high CI parallelism without cache warmup
• Multiple teams/projects hitting simultaneously without cache
• Using pip install --no-cache-dir (don’t do this!)

Solution: Enable and verify repository manager caching is working.

Can I have multiple repository managers point to my catalog?

Yes! Common scenarios:

• Production Nexus and Development Nexus
• Multiple Artifactory instances across regions/datacenters
• DR/failover repository managers

Best practices:

• Use same credentials on all repository managers (one ActiveState organization ID to one set of credentials)
• Enable caching on ALL instances
• Consider cache warming strategies for new instances
• Monitor aggregate request rate across all instances (counts toward rate limit)

Note: All repository managers from same organization count toward the 2000 requests/5min limit.

What happens if ActiveState’s service is down?

Your repository manager’s cache continues to serve previously cached packages:

• ✅ Developers can install previously cached packages
• ✅ CI/CD can build with cached dependencies
• ❌ New packages not previously cached will fail
• ❌ First-time installations won’t work

Recommendations for customers:

• Keep repository manager cache warm with common/critical packages
• Test critical builds periodically to ensure cache coverage
• Consider repository manager backup/replication strategies
• Monitor cache hit ratios

ActiveState SLO: 99% uptime (~7.3 hours downtime per month maximum), including scheduled weekly maintenance windows (Sundays 2:00-3:15 AM UTC).