Fedora Hummingbird: A Deep Dive into the New Container-Based Rolling Linux

Fedora Hummingbird is a groundbreaking container-based rolling release of Fedora Linux, unveiled at Red Hat Summit 2026. It offers the latest software updates straight from upstream, ensuring security and currency. Built on the principles of Project Hummingbird—which focuses on near-zero CVE container images—and Project Bluefin’s OS model, Fedora Hummingbird extends this minimal, hardened approach all the way to the host operating system. It uses an image-based workflow similar to containers, runs in virtual machines, on bare metal, and its foundation is already available to pull and boot today from the Hummingbird containers repository. This Q&A explores its core concepts, architecture, and benefits.

What is Fedora Hummingbird?

Fedora Hummingbird is a new rolling Fedora Linux distribution that emphasizes container-like image-based workflows. It gives users immediate access to the latest software as soon as it's available upstream, ensuring both up-to-dateness and enhanced security. Unlike traditional Fedora releases, Fedora Hummingbird operates on a continuous update model, similar to Fedora Rawhide but with additional hardening and automated vulnerability management. It can be deployed in virtual machines, on bare metal, or as a container host, making it versatile for developers and system administrators who need the newest packages without waiting for periodic releases.

Fedora Hummingbird: A Deep Dive into the New Container-Based Rolling Linux — Source: fedoramagazine.org

How does Fedora Hummingbird differ from traditional Fedora?

Traditional Fedora follows a fixed release cycle with major updates every six months. Fedora Hummingbird, in contrast, is a rolling distribution—packages are updated continuously as soon as they are built upstream. This eliminates the need for major version upgrades and reduces the time between software release and availability. Additionally, Fedora Hummingbird adopts a distroless approach for its container images, meaning no package manager or shell is included; only the application and its essential runtime dependencies are present. This minimizes attack surface and vulnerability exposure. The entire OS image is built and maintained by an automated pipeline that scans for CVEs, applies patches, and rebuilds, ensuring the system stays secure without manual intervention.

What is Project Hummingbird’s core goal?

Project Hummingbird aims to achieve near-zero Common Vulnerabilities and Exposures (CVE) reports in every container image it ships, and to maintain that state continuously. Every architectural decision—from using distroless images with minimal package footprints to hermetic builds and extensive pipeline automation—serves this goal. “Distroless” means the image contains only the application and its strictly necessary dependencies: no package manager, no shell, no extraneous tools that could introduce vulnerabilities. When you pull a typical third-party container image, you inherit all its CVEs and must manage patching yourself. With a Hummingbird image, the pipeline has already triaged, patched, and rebuilt the image, saving you from “CVE hell.” The team publishes live CVE status for all images and variants in the Hummingbird catalog.

Why are distroless images important for security?

Distroless images drastically reduce the attack surface by stripping away unnecessary components like package managers, shells, and system utilities. In a typical container, a vulnerability in Bash or a package manager update tool can be exploited. By removing these elements, Hummingbird images contain only what the application needs to run—nothing more. This makes them inherently harder to compromise because there are fewer entry points for attackers. The approach also simplifies vulnerability management: with fewer packages, the number of potential CVEs drops, and the automated pipeline can respond faster when a patch is needed. For developers, this translates to fewer security headaches and more confidence in the container’s integrity from the moment it’s pulled.

What technologies power Fedora Hummingbird?

The build infrastructure relies on a Konflux-based pipeline that supports fully isolated, reproducible builds from pinned package lists. Efficient incremental updates are handled by chunkah, an in-house tool that ensures only changed parts of an image are re-downloaded during updates. Continuous vulnerability scanning uses Syft and Grype to detect CVEs. When a vulnerability is patched upstream, the pipeline automatically detects it, rebuilds the affected image, runs tests, and ships the new version. Over 95% of packages in Hummingbird images come directly from Fedora Rawhide unmodified; the remaining packages are pulled from upstream sources when Rawhide doesn’t yet have them or is outdated. Contributions are fed back to Fedora, strengthening the ecosystem.

How does Fedora Hummingbird compare to Fedora CoreOS?

Both projects stem from similar ideas but serve different purposes. Fedora CoreOS is a minimal host for orchestrated container workloads, optimized for clusters and automation. It provides a lean operating system focused on running containers reliably at scale. Fedora Hummingbird, on the other hand, extends the minimal, hardened, container-like experience to the entire OS, including the host. It targets users who want a rolling, up-to-date system for development, testing, or production, but with the same security discipline applied to every layer—from the kernel to application images. While CoreOS is ideal for orchestrators, Fedora Hummingbird is designed for broader use cases where immediate software updates and minimal attack surface are priorities.

What container images are available now?

Over the past eight months, the team has built a catalog of 49 unique minimal, hardened, distroless container images, with 157 variants including FIPS-compliant and multi-architecture options. These cover popular runtimes and applications: Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and dozens more. Each image follows the distroless model—no package manager, no shell, only the application and its precise runtime needs. You can pull and boot the base OS image right now from the Hummingbird containers repository. The entire catalog is continuously updated by the automated pipeline, ensuring that every image stays as close to zero CVEs as possible.

Tags: