← Back to Blog

The Cost of Reimplementation

Ryan Haney ·

The same problem, solved a thousand times

Pick any fundamental computing problem, parsing a date, making an HTTP request, encoding JSON, hashing a password, and count how many times it’s been implemented across programming languages.

HTTP clients alone: curl in C, HttpClient in C#, http.Client in Go, requests in Python, axios in JavaScript, Hyper in Rust, OkHttp in Java, Alamofire in Swift. Each one written from scratch. Each one interpreting the same RFCs. Each one making its own decisions about timeouts, redirects, connection pooling, error handling, and retry logic.

The underlying specification is identical. HTTP is HTTP. RFC 7230 doesn’t change based on which language you’re using to implement it. But because code is bound to a language, and code is the source of truth, every language community rebuilds the same behavior independently. The same edge cases are discovered independently. The same bugs are introduced independently. The same CVEs are filed independently.

The duplication taxonomy

The redundancy isn’t limited to one category. It spans the entire foundation of modern software.

Protocol implementations. HTTP, WebSocket, gRPC, SMTP, DNS, every protocol that software speaks has been reimplemented in every major language. The behavior is defined by an RFC or a formal specification. The implementation is identical in intent across languages. But every language does it again from scratch.

Cryptography. AES, RSA, SHA-256, TLS handshakes. The math doesn’t change. The security requirements don’t change. But every ecosystem maintains its own cryptographic library, its own implementation of the same algorithms, its own attack surface. OpenSSL is in C. BouncyCastle is in Java. crypto/tls is in Go. ring is in Rust. Each one a separate implementation of the same mathematical specification.

Serialization and parsing. JSON parsers. XML parsers. YAML parsers. CSV parsers. URL parsers. The format specifications are public and stable. Yet every language has multiple competing implementations, each with its own conformance quirks and edge-case behavior.

Date and time. This is the poster child for reimplementation waste. Time zone handling, leap seconds, calendar arithmetic, ISO 8601 parsing. It’s notoriously complex and the specification is the same everywhere. Java went through java.util.Date, then Joda-Time, then java.time. JavaScript has Date, Moment.js (now deprecated), Luxon, date-fns, and Temporal (still in proposal). Python has datetime, dateutil, arrow, and pendulum. Each one grappling with the same specification. Each one re-discovering the same pitfalls.

The pattern is always the same: the what doesn’t change across languages. Only the how changes. But because the industry ties knowledge to code instead of specifications, the what gets reimplemented alongside the how every single time.

The security cost

Duplication isn’t just wasteful. It’s dangerous.

When a cryptographic implementation has a vulnerability, it affects one language’s ecosystem. But the same class of vulnerability often exists in other implementations of the same algorithm, because the same specification was interpreted by different engineers who made the same mistakes in different codebases.

Heartbleed was an OpenSSL bug. But the broader lesson was that the TLS specification was complex enough that implementing it correctly was extraordinarily difficult, and every language ecosystem was doing it independently. The industry didn’t have one implementation to fix. It had dozens, each with its own potential for the same category of error.

Every independent reimplementation is an independent attack surface. The more times you implement the same specification in different codebases, the more opportunities there are for implementation-specific bugs. If the specification were the source of truth, and implementations were validated against it, a vulnerability discovered in one implementation could trigger re-validation across all of them. Instead, each ecosystem fends for itself.

The economic argument

The labor cost alone is staggering.

Consider what it takes to build a production-quality HTTP client library. You need engineers who understand the protocol specification deeply. You need months of development. You need extensive testing against edge cases that have been discovered and documented by every other implementation before yours. You need ongoing maintenance as the specification evolves and new security considerations emerge.

Now multiply that by every major programming language. And then multiply again by every fundamental problem domain: networking, cryptography, serialization, date handling, authentication, compression, logging, configuration parsing.

The industry has spent millions of cumulative developer-hours reimplementing behavior that was already fully specified and already correctly implemented somewhere else. Not because the existing implementations were wrong, but because they were in the wrong language.

That’s the core absurdity. The knowledge exists. The specification exists. The correct behavior has been implemented and validated. But because code is the source of truth and code is language-bound, the knowledge can’t transfer. Every ecosystem starts from zero.

The spec-first alternative

What if the specification were the portable artifact instead of the code?

Imagine an HTTP client specification, not the RFC itself (which describes the protocol), but a behavioral specification for a client library: how it handles redirects, what retry policy it applies, how it manages connection pools, what timeout defaults it uses. This specification would be language-agnostic. It describes behavior, not implementation.

Now implement that specification in C#. Validate it. Lock it. The behavior is now a verified contract.

When you need the same behavior in Go, you don’t start from scratch. You point an AI at the locked specification and the validated C# implementation, and it generates a Go implementation that targets the same spec. The spec is the constant. The language is the variable.

Bugs found in one implementation trigger re-validation across all implementations of the same spec. Security patches to the spec propagate to every target language. Improvements to the behavioral specification, a better retry policy, a more robust timeout strategy, can be re-implemented everywhere because the what is defined once and the how is generated per target.

This is how every other engineering discipline works. You don’t redesign a bridge from first principles every time you build one in a new city. You work from known specifications and adapt the implementation to local conditions. Software is the only field where the entire knowledge base gets rebuilt from scratch every time the toolchain changes.

The compound cost

The cost of reimplementation isn’t just the initial development. It’s the ongoing maintenance multiplied across every duplicate.

Every independent implementation needs its own test suite, its own CI pipeline, its own maintainers, its own issue tracker, its own release cycle, its own security audit. The operational overhead of maintaining the same behavior across ten language ecosystems is roughly ten times the cost of maintaining it once.

And that’s before you account for the inconsistencies. Each implementation makes slightly different decisions about edge cases. Each one has slightly different defaults. Each one has its own quirks. The specification is the same, but the behavior diverges, not because of language differences, but because every implementation is an independent interpretation of the same source material.

The industry has accepted this as normal. It isn’t. It’s a structural failure that a specification-first approach would eliminate. Not by replacing the implementations, language-specific code will always exist, but by ensuring that every implementation is validated against the same behavioral contract, and that the knowledge encoded in that contract is maintained once, not a thousand times.