惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
T
The Exploit Database - CXSecurity.com
Microsoft Security Blog
Microsoft Security Blog
V
Visual Studio Blog
F
Fortinet All Blogs
博客园_首页
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
The Cloudflare Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
Security Affairs
The Register - Security
The Register - Security
S
Security @ Cisco Blogs
Hugging Face - Blog
Hugging Face - Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
Schneier on Security
Schneier on Security
WordPress大学
WordPress大学
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
T
Tailwind CSS Blog
Hacker News: Ask HN
Hacker News: Ask HN
W
WeLiveSecurity
D
Docker
L
LangChain Blog
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
宝玉的分享
宝玉的分享
I
Intezer
云风的 BLOG
云风的 BLOG
V2EX - 技术
V2EX - 技术
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

ashishb.net

A day in Luxembourg - the richest country in the world I was asked to install malware during a fake interview Book summary: Breakneck - China's quest to engineer the future by Dan Wang Book summary: How to Teach Your Baby to Read Book Summary: The Discontented Little Baby Book by Pamela Douglas Introducing Amazing Sandbox - run third-party tools and AI agents securely on your machine Why software outsourcing gets a bad reputation? Book summary: The Natural Baby Sleep Solution by Polly Moore A day in Antwerp, Belgium Journey of online influencers Two days in Brussels, Belgium Shortcuts - when we love them and when we don't A visit to Rakhigarhi Three days in overhyped Paris Empty Japan, crowded Tokyo The real lock-in in GitHub is not the code, but the stars 11-day Norwegian Breakaway East Caribbean cruise Sanskrit and Sri Lankan Air Force Use REST with Open API The Achilles heel of American capitalism Costa Rica in 4 days At a juice stall in Sri Lanka A short stay at Warsaw, Poland Best practices for using Python & uv inside Docker Two days in Vilnius, Lithuania How IntelliJ IDEs waste disk space Pregnancy Why there aren't many digital nomads from India Two days in Riga, Latvia To keep your machine secure, run third-party tools inside Docker Family Ties in Your DNA: Some relatives are closer than others Doctors per capita Two days in Tallinn, Estonia Made in America Two days in Helsinki, Finland Maintaining an Android app is a lot of work The land of good deals Two days in Oslo, Norway FastAPI vs Flask performance comparison Google Search is losing to Perplexity Two days in Dublin, Ireland Continuous integration ≠ Continuous delivery World's simplest project success heuristic London in 5 days It is hard to recommend Python in production Inflation, IRS, Credit cards, and Vendors Temu and the Chinese approach Things to do in Miami Florida Revenue vs Cost Axis Language learning as an adult The unanchored babies of the green card limbo Price variance in the United States A day in Louisville, Kentucky A surprisingly positive experience with Air India Unhospitable Airports Android: Don't use stale views USA = Union of Sales and Advertisement A day in Nashville, Tennessee Minimize Javascript in your codebase A day in Birmingham, Alabama In defense of ad-supported products Real vs artificial world The science behind Punjabi singers Hiking Mt. Fuji The Indian startup bubble is insane Repairing database on the fly for millions of users Book Summary: One up on Wall Street by Peter Lynch It is hard to recommend Google Cloud At the Prague airport Kyoto in three days Migrating from WordPress to Hugo Book summary: Sick Societies by Robert B. Edgerton Statistical outcomes require statistical games Illegal immigrants to Europe via Cairo Tokyo in three days Mobs are Status Games Writing Script matters as much as the spoken language Sri Lanka in 5 days LLMs: great for business but bad business Book Summary: Safe Haven by Mark Spitznagel Mac shortcut for typing Avagraha symbol On a bus with an asylum seeker Nicaragua in 5 days When to commit Generated code to version control Why I always buy a local SIM in a foreign country Use Makefile for Android Four days in Guadalajara, Mexico Android Navigation: Up vs Back Hotels vs Airbnb vs Hostels Currency issues in Argentina Abstractions should be deep not wide Some data on podcasting Always support compressed response in an API service A day in El Calafate - Patagonia, Argentina Hermetic docker images with Hugging Face machine learning models American Elections The sound of "ch" API services should always have usage Limits Hiking in El Chaltén - trekking capital of Argentina Natural Laws vs Man-made Laws
Ship tools as standalone static binaries
Ashish Bhatia · 2025-07-04 · via ashishb.net
RedditProgrammer Weekly

Open AI is ditching TypeScript to rebuild Codex in Rust. This is a great example of why you should always ship tools as standalone static binaries using compiled languages.

Reddit Comment

The biggest advantage of such tools is not speed or efficiency. Rather, it is the ability to not install the full tool chain to just use a tool.

Compiler provides additional safety check

Compilation is an additional guardrail that reduces the likelihood of shipping non-functioning code.

Google Cloud CLI is written in Python and even Google has shipped outright broken tool quite a few times in it. What chance do much smaller teams have of shipping a functioning tool without a compiler?

When you ship a tool written in a compiled language, you ship a single binary. When you ship a tool written in an interpreted language, the users of the tool need to have the appropriate version of the development environment (e.g. Python, Ruby, TypeScript) installed on their machine to run the tool.

The problem is not just the toolchain but the full-fledged versions of the development environment that one needs to run the tool.

Consider a Markdown linter mdl written in Ruby. Every time Ruby is upgraded on my machine by homebrew, I have to reinstall mdl! And I don’t even use Ruby regularly for anything else.

If you want to use markdownlint, the JavaScript version of mdl, you need to install npm and install its 44 dependencies which again supports particular versions of npm.

Interpreted languages create disk size bloat

Consider another standalone tool like aider, probably the most popular FOSS coding assistant. It is written in Python and installing it via Homebrew installs additional 51 homebrew packages as dependencies.

1
2
$ brew deps aider  | uniq | wc -l
52

This consumes ~3GiB of disk space. That’s more than the size of most GNU/Linux distributions.

Before installing aider

1
2
3
4
5
$ df -h
Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
...
/dev/disk3s5     320Gi   252Gi    51Gi    84%    1.5M  530M    0%   /System/Volumes/Data
...

After installing aider

1
2
3
4
Filesystem        Size    Used   Avail Capacity iused ifree %iused  Mounted on
...
/dev/disk3s5     320Gi   255Gi    49Gi    84%    1.6M  509M    0%   /System/Volumes/Data
...

Compare this to uv, a great Python package manager written in Rust. It is a single binary and does not require any toolchain dependencies. The binary is only ~35MiB in size. And I don’t need to install Rust or a heaven-forbids a Rust version manager like rustup to use it.

Security

Every single dependency you add to your tool increases the attack surface. The Open AI’s Codex has 24 direct dependencies and another 184 indirect dependencies.

How many of these dependencies have been audited by Open AI? How many of these dependencies have a postinstall step that can execute arbitrary code on the user’s machine? Assuming Open AI has audited some version of all of these dependencies, the version of these dependencies that are installed is not even locked in, so, a future dependency update can break the tool, introduce a security vulnerability, or be an outright malicious package

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
  "dependencies": {
    "@inkjs/ui": "^2.0.0",
    "chalk": "^5.2.0",
    "diff": "^7.0.0",
    "dotenv": "^16.1.4",
    "express": "^5.1.0",
    "fast-deep-equal": "^3.1.3",
    "fast-npm-meta": "^0.4.2",
    "figures": "^6.1.0",
    "file-type": "^20.1.0",
    "https-proxy-agent": "^7.0.6",
    "ink": "^5.2.0",
    "js-yaml": "^4.1.0",
    "marked": "^15.0.7",
    "marked-terminal": "^7.3.0",
    "meow": "^13.2.0",
    "open": "^10.1.0",
    "openai": "^4.95.1",
    "package-manager-detector": "^1.2.0",
    "react": "^18.2.0",
    "shell-quote": "^1.8.2",
    "strip-ansi": "^7.1.0",
    "to-rotated": "^1.0.0",
    "use-interval": "1.4.0",
    "zod": "^3.24.3"
  }
}

Maintainability

For interpreted languages like JavaScript, TypeScript, Python, or Ruby, if a dependency is removed from the upstream repository, the shipped tool will break. That’s how several packages, frameworks, and standalone tools written in Javascript broke when left-pad was taken down from npm.

For compiled languages, the tool is self-contained and requires the dependencies to exist only at the compile time. So, the tool will continue to work even if the upstream dependency has removed.

My personal experience

I wrote a semi-popular tool for Android development called adb-enhanced in Python during the days of Python 2 and then later ported it to Python 3.

Since then, I have open-sourced quite a few tools like gabo and wp2hugo in Go.

While I might write a Python library, I am never planning to write another standalone tool in Python, Typescript, or a similar language which does not allow shipping statically-linked binaries.

Conclusion

If you are writing standalone tools, always use a compiled language like Rust, Go, or C++. And generate static binaries that do not require minimal external dependencies.