Fedora Hummingbird: A Rolling, Container-Native OS for the Security-Conscious Developer

By

Introduction

At Red Hat Summit 2026, a new distribution was unveiled: Fedora Hummingbird. This rolling-release Fedora Linux distribution is built on a container-based model, offering developers immediate access to the latest upstream software packages. The goal is to keep systems both up-to-date and secure by design. Unlike traditional distributions, Fedora Hummingbird extends the principles of container images—distroless, minimal, and hardened—all the way down to the host operating system. If you're familiar with Project Hummingbird or Project Bluefin, you'll recognize the pattern: image-based workflows that run anywhere, from bare metal to virtual machines.

What Is Project Hummingbird?

Project Hummingbird's central mission is to achieve and maintain near-zero CVE reports in every container image it ships. Every architectural decision—distroless images, minimal package footprints, hermetic builds, and pipeline automation—serves this single objective. A distroless image contains no package manager, no shell, only the application and its absolute runtime dependencies. This dramatically reduces the attack surface and eliminates the need for manual vulnerability triage.

Why does this matter for developers? When you pull a third-party container image today, you inherit its vulnerabilities and are responsible for managing them. With Hummingbird, the pipeline already performs CVE triage, patching, and rebuilding. You skip the so-called CVE hell. The team publishes live CVE status for all images and variants in the Hummingbird catalog.

Image Catalog and Variants

Over the past eight months, the team has built a catalog of 49 unique distroless, hardened container images (157 variants including FIPS and multi-arch). These cover a wide range of runtimes: Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and many more. Each image is minimal by design—no extraneous tools, no shell access—just what the application needs to run securely.

How Fedora Hummingbird Works

Fedora Hummingbird applies the same image-based, rolling-release model from Project Hummingbird to the entire operating system. The foundation already ships today from the Hummingbird containers repository; you can pull and boot it right now. It uses an image-based workflow similar to containers but also runs in virtual machines and on bare metal.

If you've been following Project Bluefin's operating system work, you know the model. Fedora Hummingbird extends that approach further down to the host OS level. Essentially, every part of the system—from the kernel to userland applications—is delivered as a minimal, hardened image with continuous updates.

The Core Principles

• Rolling Release: Latest software as soon as it's available upstream, ensuring timeliness and security.
• Distroless Host OS: No package manager, no shell—only essential components. This reduces attack surface and simplifies updates.
• Image-Based Updates: Similar to container images, updates happen atomically via new image versions, not in-place package upgrades.
• Continuous CVE Mitigation: Automated pipeline detects, patches, and rebuilds images for every reported vulnerability.
• Reproducible Builds: Pinned package lists and isolated builds ensure consistency across deployments.

Under the Hood: Build Pipeline and Security

The infrastructure powering Fedora Hummingbird is a Konflux-based pipeline. It performs fully isolated, reproducible builds from pinned package lists, uses efficient incremental updates via a custom tool called chunkah (which ensures only changed parts of an image are re-downloaded), and continuously scans for vulnerabilities using Syft and Grype. When a vulnerability is patched upstream, the pipeline automatically finds it, rebuilds, tests, and ships a new image.

Approximately 95% of the packages in every Hummingbird image come directly from Fedora Rawhide, unmodified. The remaining packages are pulled from upstream when Rawhide doesn't carry them or isn't new enough, and the team contributes these changes back to Fedora. This approach resembles Fedora CoreOS but serves a different use case: CoreOS is a minimal host for orchestrated workloads, whereas Hummingbird focuses on providing a developer-friendly, rolling, distroless environment for both containerized and bare-metal applications.

Availability and Roadmap

Fedora Hummingbird is now available in its initial form. You can download and boot it immediately from the Hummingbird containers repository. The team plans to expand the catalog of supported runtimes and add more tooling for developers. Long-term goals include deeper integration with the Fedora ecosystem and further reducing CVEs across all images.

For more information, visit the official Fedora Hummingbird website or explore the Project Hummingbird documentation.

Related Articles

• 10 Key Insights into BPF-Driven Memory Management
• Upgrading to Fedora Linux 44 on Silverblue: A Complete Q&A Guide
• Sealed Bootable Containers for Fedora Atomic Desktops: A New Era of Verified Boot
• Upgrading Your Fedora Silverblue System to Version 44: A Complete Walkthrough
• Unraveling Anonymous Reverse Mapping: The COW Context Solution
• Linux Security and Innovation: Kernel Killswitch, Fedora AI, and More Open Source Updates
• Your Comprehensive Guide to Installing and Upgrading to Fedora Asahi Remix 44 on Apple Silicon Macs
• Understanding the Flattened Image Tree (FIT) 1.0 Specification for Embedded Linux