Fedora Hummingbird: A Rolling, Container-Based Linux Distribution Built on Project Hummingbird's Zero-CVE Foundation
Introduction
At the 2026 Red Hat Summit, a new Fedora variant was unveiled: Fedora Hummingbird. This rolling, container-based Linux distribution promises to deliver the latest upstream software with a strong emphasis on security and minimal vulnerabilities. But what does this mean for developers, sysadmins, and container users? In this article, we explore the core concepts behind Fedora Hummingbird, its connection to Project Hummingbird, and the innovative pipeline that keeps it secure and up to date.
What Is Fedora Hummingbird?
Fedora Hummingbird is a rolling release distribution that follows an image-based workflow—similar to container images—but extends this model to the entire operating system, including the host OS. It can run on virtual machines, bare metal, or in container environments. The distribution is built on the principles of Project Hummingbird, aiming to provide access to the newest software as soon as it's available upstream, ensuring both freshness and security.
Core Concepts
The key idea is to treat the entire OS like a container image: immutable, reproducible, and automatically patched. Users no longer need to manually manage packages or fear configuration drift. Every update is atomic and can be rolled back seamlessly. This approach reduces the attack surface and operational overhead.
The Foundation: Project Hummingbird
Project Hummingbird has been working for over eight months to create a catalog of ultra-secure container images. The central goal is to achieve and maintain a state of zero CVE reports in every image it ships. To accomplish this, the team made deliberate architectural decisions: distroless images, minimal package footprints, hermetic builds, and extensive automation.
Zero CVE Approach
When you pull a third-party container image, you inherit its vulnerabilities and become responsible for patching. Hummingbird images bypass this headache: the project's pipeline performs continuous CVE triage, automates patching, and rebuilds images. As a result, users skip the CVE hell. The live CVE status for all images and variants is published in the Hummingbird catalog.
Distroless Images
"Distroless" means the image contains only the application and its strict runtime dependencies—no package manager, no shell, no extra utilities. This drastically reduces the attack surface and simplifies vulnerability management. The current catalog boasts 49 unique minimal, hardened, distroless images, with 157 variants including FIPS and multi-arch support. Languages and runtimes covered include Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and many more.
How It's Built
The infrastructure behind Fedora Hummingbird is built on a Konflux-based pipeline—a modern container build system that ensures reproducibility and security. Let's examine the key components.
Konflux Pipeline
The pipeline performs fully isolated, reproducible builds from pinned package lists. Every build uses a hermetic environment, meaning dependencies are locked and version-controlled. This guarantees that the same source produces the same output every time, eliminating surprises.
Incremental Updates with Chunkah
To avoid re-downloading entire images on each update, the Hummingbird team built a tool called chunkah. It enables efficient incremental updates by only transferring changed parts of an image. This reduces bandwidth usage and speeds up updates, especially for large deployments.
Vulnerability Scanning
Continuous vulnerability scanning is performed using Syft and Grype. When a patched package is available upstream, the pipeline detects the vulnerability, rebuilds the affected image, runs tests, and ships the update—all automatically. This closed loop ensures that images remain secure without manual intervention.
Package Sourcing
More than 95% of packages in Hummingbird images come directly from Fedora Rawhide, unmodified. The remaining packages are pulled from upstream sources when Rawhide doesn't carry them or offers outdated versions. The team actively contributes changes back to Fedora, strengthening the community. This approach is reminiscent of Fedora CoreOS, but Hummingbird serves a different use case: CoreOS is a minimal host for orchestrated workloads, while Hummingbird focuses on delivering a fully secure, rolling OS for developers and operators who want the latest software with zero vulnerability overhead.
Current Status and Availability
Fedora Hummingbird is not just a future plan—the foundation already ships today from the Hummingbird containers repository. Users can pull and boot it right now. The project continues to expand the image catalog and refine the pipeline, with the ultimate goal of making zero-CVE computing accessible to everyone.
Conclusion
Fedora Hummingbird represents a significant step forward in operating system design. By applying container principles to the host OS, combining them with the zero-CVE rigor of Project Hummingbird, and automating the entire lifecycle with a Konflux pipeline, it offers a unique blend of freshness, security, and ease of use. Whether you're a developer tired of fighting CVEs, a sysadmin seeking predictable rollouts, or an enthusiast wanting the latest software without compromise, Fedora Hummingbird is worth exploring.