Fedora Hummingbird: Rolling OS with Container-Grade Security and Freshness

Introduction

At Red Hat Summit 2026, a new Fedora Linux distribution called Fedora Hummingbird was unveiled. This rolling release OS combines the reliability of Fedora with an image-based, container-inspired workflow. It delivers the latest upstream software as soon as it becomes available, ensuring up-to-date security and features. The distribution runs on containers, virtual machines, and even bare metal, making it versatile for developers and operators alike.

From Container Images to Full Operating System

Fedora Hummingbird extends the principles of Project Hummingbird—a set of minimal, hardened container images—to the entire host OS. If you already use Hummingbird containers or have experimented with Project Bluefin’s OS-level approach, you’ll recognize the model. This distribution applies the same image-based workflow all the way down to the system layer, providing a consistent, secure experience from kernel to application.

What Is Project Hummingbird?

The core mission of Project Hummingbird is to achieve and maintain a near-zero CVE count in every container image it ships. Every architectural decision—distroless images, minimal package footprints, hermetic builds, and extensive pipeline automation—serves that goal. “Distroless” means no package manager, no shell, only the application and its essential runtime dependencies. This drastically reduces the attack surface and simplifies vulnerability management.

Why Distroless Matters

When you pull a third-party container image, you inherit its vulnerabilities and must manage them yourself. With a Hummingbird image, the team’s pipeline has already performed CVE triage, patching, and rebuilding. You skip the “CVE hell” of manual updates. (Live CVE status for all images and variants is publicly available at the Hummingbird catalog.) Over the past eight months, the team built a catalog of 49 unique minimal, hardened, distroless images—157 variants including FIPS and multi-arch—covering Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and many more.

How Fedora Hummingbird Is Built

The infrastructure relies on a Konflux-based pipeline. This system performs fully isolated, reproducible builds from pinned package lists. Efficient incremental updates use chunkah, a custom tool that ensures only changed parts of an image are re-downloaded. Continuous vulnerability scanning with Syft and Grype catches issues early. When an upstream vulnerability is patched, the pipeline automatically rebuilds, tests, and ships the updated image.

Over 95% of packages in each Hummingbird image come directly from Fedora Rawhide, unmodified. For packages not yet in Rawhide or needing a newer version, the system pulls directly from upstream, and the team contributes changes back to Fedora. This approach shares DNA with Fedora CoreOS but serves a different use case: CoreOS is minimal for orchestrated workloads, while Fedora Hummingbird provides a full, rolling OS for interactive use.

Current State and Availability

The foundation for Fedora Hummingbird already ships from the Hummingbird containers repository. You can pull and boot it right now. The rolling release model means you always get the latest software without waiting for point releases. For developers seeking cutting-edge tools with enterprise-grade security, this distribution bridges the gap.

Conclusion

Fedora Hummingbird represents a significant step forward in operating system design. By applying container-level security and freshness to the full OS, it offers a compelling alternative for users who want a stable yet up-to-date environment. Whether you’re running containers on bare metal or exploring modern DevOps workflows, this distribution simplifies vulnerability management and accelerates access to innovations.