NativeLink
FAQ

What is Nix?

A purely functional package manager that gives NativeLink its hermeticity guarantees.

Nix is a package manager that builds every package in isolation, with a hash that encodes every input — source code, dependencies, build flags, even the version of gcc used to compile the dependencies. Two machines running the same Nix flake produce bit-identical artifacts.

That property — hash-pinned, content-addressed everything — is what NativeLink needs for LRE and is why we use Nix to provision toolchains.

What it gives you, concretely

  • Toolchains in the Nix store. Your clang lives at /nix/store/abc123-clang-18.1.6/bin/clang. The path itself is the hash. NativeLink can use that path as an input identifier directly.
  • No "global" state to leak. A Nix shell exposes only the packages you ask for. There's no /usr/lib to accidentally depend on.
  • Reproducible across machines. nix develop on your laptop and on CI produces the same shell, byte-for-byte.

What you give up

  • A learning curve. The Nix language is unfamiliar; the error messages take getting used to.
  • Initial download time. The first nix develop for a big project fetches gigabytes.

How to start

The next-gen Nix installer is the smoothest path. After installing:

git clone https://github.com/TraceMachina/nativelink
cd nativelink
nix develop

You're now in a shell with the exact toolchain CI uses — Rust, Bazel, mold, protoc, the works.

For a full LRE setup, see Explanations → LRE.

How do I make my Bazel setup hermetic?

Eliminate every "it works on my machine" by declaring every input.

Why Rust?

Memory safety without garbage collection — the right shape for a service that has to be fast and never lie.

On this page

What it gives you, concretelyWhat you give upHow to start