Ship tools as standalone static binaries

Open AI is ditching TypeScript to rebuild Codex in Rust. This is a great example of why you should always ship tools as standalone static binaries using compiled languages.

Reddit Comment

The biggest advantage of such tools is not speed or efficiency. Rather, it is the ability to not install the full tool chain to just use a tool.

Compiler provides additional safety check

Compilation is an additional guardrail that reduces the likelihood of shipping non-functioning code.

Google Cloud CLI is written in Python and even Google has shipped outright broken tool quite a few times in it. What chance do much smaller teams have of shipping a functioning tool without a compiler?

No toolchain dependencies for end-users

When you ship a tool written in a compiled language, you ship a single binary. When you ship a tool written in an interpreted language, the users of the tool need to have the appropriate version of the development environment (e.g. Python, Ruby, TypeScript) installed on their machine to run the tool.

The problem is not just the toolchain but the full-fledged versions of the development environment that one needs to run the tool.

Consider a Markdown linter mdl written in Ruby. Every time Ruby is upgraded on my machine by homebrew, I have to reinstall mdl! And I don’t even use Ruby regularly for anything else.

If you want to use markdownlint, the JavaScript version of mdl, you need to install npm and install its 44 dependencies which again supports particular versions of npm.

Interpreted languages create disk size bloat

Consider another standalone tool like aider, probably the most popular FOSS coding assistant. It is written in Python and installing it via Homebrew installs additional 51 homebrew packages as dependencies.

1
2

$ brew deps aider  | uniq | wc -l
52

This consumes ~3GiB of disk space. That’s more than the size of most GNU/Linux distributions.

Before installing aider

1
2
3
4
5

$ df -h
Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
...
/dev/disk3s5     320Gi   252Gi    51Gi    84%    1.5M  530M    0%   /System/Volumes/Data
...

After installing aider

1
2
3
4

Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
...
/dev/disk3s5     320Gi   255Gi    49Gi    84%    1.6M  509M    0%   /System/Volumes/Data
...

Compare this to uv, a great Python package manager written in Rust. It is a single binary and does not require any toolchain dependencies. The binary is only ~35MiB in size. And I don’t need to install Rust or a heaven-forbids a Rust version manager like rustup to use it.

Security

Every single dependency you add to your tool increases the attack surface. The Open AI’s Codex has 24 direct dependencies and another 184 indirect dependencies.

How many of these dependencies have been audited by Open AI? How many of these dependencies have a postinstall step that can execute arbitrary code on the user’s machine? Assuming Open AI has audited some version of all of these dependencies, the version of these dependencies that are installed is not even locked in, so, a future dependency update can break the tool, introduce a security vulnerability, or be an outright malicious package

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

{
  "dependencies": {
    "@inkjs/ui": "^2.0.0",
    "chalk": "^5.2.0",
    "diff": "^7.0.0",
    "dotenv": "^16.1.4",
    "express": "^5.1.0",
    "fast-deep-equal": "^3.1.3",
    "fast-npm-meta": "^0.4.2",
    "figures": "^6.1.0",
    "file-type": "^20.1.0",
    "https-proxy-agent": "^7.0.6",
    "ink": "^5.2.0",
    "js-yaml": "^4.1.0",
    "marked": "^15.0.7",
    "marked-terminal": "^7.3.0",
    "meow": "^13.2.0",
    "open": "^10.1.0",
    "openai": "^4.95.1",
    "package-manager-detector": "^1.2.0",
    "react": "^18.2.0",
    "shell-quote": "^1.8.2",
    "strip-ansi": "^7.1.0",
    "to-rotated": "^1.0.0",
    "use-interval": "1.4.0",
    "zod": "^3.24.3"
  }
}

Maintainability

For interpreted languages like JavaScript, TypeScript, Python, or Ruby, if a dependency is removed from the upstream repository, the shipped tool will break. That’s how several packages, frameworks, and standalone tools written in Javascript broke when left-pad was taken down from npm.

For compiled languages, the tool is self-contained and requires the dependencies to exist only at the compile time. So, the tool will continue to work even if the upstream dependency has removed.

My personal experience

I wrote a semi-popular tool for Android development called adb-enhanced in Python during the days of Python 2 and then later ported it to Python 3.

Since then, I have open-sourced quite a few tools like gabo and wp2hugo in Go.

While I might write a Python library, I am never planning to write another standalone tool in Python, Typescript, or a similar language which does not allow shipping statically-linked binaries.

Conclusion

If you are writing standalone tools, always use a compiled language like Rust, Go, or C++. And generate static binaries that do not require minimal external dependencies.

//: # ( https://news.hada.io/topic?id=21970) - Japanese