Building from source

All runtimes created on the ActiveState Platform are built from source. Using the Platform you can select the source code for the language and packages, together with the source code for all related dependencies, and build a new runtime from the ground up.

You can use your browser to configure which packages, and which versions of those packages, are included in your runtime. There are no scripts to create or compilers to configure, and your runtime will still be built from source with all of the security and stability assurances that entails.

Using the Platform eliminates the need for time-consuming tasks related to creating reproducible runtimes or soliciting custom binaries. Things like manually installing languages, cloning source repositories, compiling, building operating system-specific installers (or compressed archives), and resolving dependency conflicts are taken care of via the Platform.

Because of this complex process, builds can take some time to complete. Though we’re always improving our build caching and concurrency technologies to make them even faster.

While building your runtime from source takes time, you don’t need to wait on the Platform for it to complete. You can continue with other tasks and as soon as your runtime is available, you will receive a “Your build is ready!” notification email with a link to download and install the build.

Why build from source?

Policy & Compliance

Your organization’s security and compliance policies require that all language artifacts be built from source for security and/or compliance reasons.

Trust

Building your runtime from source guarantees that you know where your bits are coming from. In our case, you know that a trusted source has built the code you’ll be running. As verifying takes time, some packages may not be available on the Platform immediately after their release. This is common with private or proprietary releases where a trusted source is not immediately available.

Flexibility

It gives you the flexibility to customize the dependencies and versions that your code gets built with. However, as versions are continually updated and released, there may be a delay between the release and their availability on the Platform. To request a package be added to the Platform contact us.

Security

It helps avoid exploits where similarly named dependencies or hacked author accounts lead to installing compromised binaries from a language ecosystem’s official repository.

Freshness

The latest version of a dependency may only be available as source code, or may require patching to eliminate a critical vulnerability.

Risks of not building from source

Compromised source control system

The ActiveState Platform was created with reproducible builds as a core design principle. Its tamper-proof build service builds any open source language dependency from source code and packages it (along with all its transitive dependencies) for deployment. Rather than create non-reproducible artifacts, the system is designed to fail should any checksum in the build process not be verified. Build scripts cannot be accessed and modified within the build service, preventing exploits in the source control system.

Modified code after source control

the ActiveState Platform catalog offers better classification and categorization (based on metadata) compared to a general internet search, making open source packages far more discoverable. In the event of a security breach after the runtime has been built, users are alerted to the threats to their runtimes via the Configuration tab in their project (or by a CVE) and presented with options to resecure their build.

Compromised build platform

The Platform (and the State Tool) lets you manage an entire team by providing a single source of truth for a project’s runtime environment that can be shared, installed, and updated with a single command. The result is a secure build Platform that helps you create comprehensive and reproducible runtimes. ActiveState’s build service is a dedicated service that runs on a minimal set of predefined, locked-down resources. Rather than a developer’s desktop or another arbitrary system that can offer a larger attack surface to bad actors. Every step in a build process executes in its own container, which is discarded after each step. In other words, containers are purpose-built to perform a single function, reducing the potential for compromise.

Compromised package repository

The ActiveState platform catalog is routinely checked for security threats and corrupted packages. Each package available on the Platform has been verified as safe to use, and in the event of breach email notifications, status updates, and reports are generated whenever a vulnerability is discovered in your runtime environment.