Rust vs Swift 6

I re-coded a Rust library in Swift 6 this week and was surprised to see it was a third the size. It ended up with no third party dependencies beyond the system Frameworks, whereas the Rust crate pulled in several third party crates that in turn pulled in innumerable other libraries - creating a situation with multiple versions of the same library ultimately needing to be included.

With the barriers to writing software continuing to lower, the threshold for when to build first-party vs integrate a third party library may be moving as well.

For areas with strong community attention and support, complex algorithms, and/or areas where absolute correctness is a must, it will almost certainly be the wise choice to use a shared resource (TLS, NumPy, v8, etc) that is being actively maintained; but a huge amount of software development involves long-tail tasks for which there may be third party libraries that are either trivial to rebuild or out-of-date. The last decade of defaults in just reaching for the third party module/crate/library has resulted in Byzantine dependency graphs that are challenging to track and attest from a supply-chain perspective. And very bloated software.

Diversity of implementations can slow down adoption of bug-fixes but also makes an attack surface more complex; it’s valuable to find a bug in a commonly-used library because the attacker knows there are many places they can now exploit. While attestation of the correctness of first-party software is challenging (linting, fuzzing, exhaustive code coverage, documentation) it represents a different set of challenges than trying to attest an entire ecosystem. Today’s models like GPT-5, Opus 4.1, and Gemini 2.5 still need a lot of handholding and cross-checking to turn out secure and performant code, but they are radically better than last year’s — it seems likely that 2026 will see the commodification of models that are superior in the code quality and security of their output to the vast majority of programmers.

We approach a Rubicon - not yet crossed - of it being better security & performance practice to adopt a practice of generating our code ourselves vs using human-authored third party libraries.

The extreme version of this is a world in which a PRD gets turned into assembly language - the elimination of the compiler as an intermediary between the AI agent and the actual operation to be performed. Baby steps in that direction are lower-level routines generated in first party code (e.g. embedding C code with compiler hints as part of a library).