Distributions made on the ActiveState Platform are created from source. This has important security benefits and provides the greatest amount of flexibility.
While building from source can take some time, you don’t need to wait around on the Platform. We’ll send you an email when your build completes.
Every time that you create or update a project on the Platform, we take the source code for the language and packages (or modules), together with the source code for all of their dependencies, and build you a new custom distribution.
Because of this, builds can take a bit of time to complete, though we’re always improving our build caching and concurrency technologies to make them even faster.
You don’t have to wait around while your build is running. You can close the browser window and check back in any time. Also keep an eye on your inbox as we’ll send you an email when the build succeeds or fails.
Why build from source?
What are some key reasons that people (including us) choose to build from source?
Trust
It guarantees that you know where your bits are coming from. In our case, you know that a trusted source has built the code you’ll be running.
Flexibility
It gives you the flexibility to customize the dependencies and versions that your code gets built with.
Security
It helps avoid exploits where similarly named dependencies or hacked author accounts lead to installing compromised binaries from a language ecosystem’s official repository.
Freshness
The latest version of a dependency may only be available as source code, or may require patching to eliminate a critical vulnerability.
Policy & Compliance
Your organization’s security and compliance policies require that all language artifacts to be built from source for security and/or compliance reasons.
How is it different from other methods?
Other package managers often rely on pre-built binaries uploaded by the package maintainers or other unknown sources on the Internet. That locks you into whatever default options they selected at build time, and your ability to inspect what code is actually included in the binary is restricted.