Fedora Hummingbird, announced at Red Hat Summit 2026, is a revolutionary container-based rolling Linux distribution that brings the security and efficiency of Project Hummingbird's distroless images to the full operating system. Built on an image-based workflow, it runs on virtual machines and bare metal, providing access to the latest upstream software continuously. This Q&A explores the key features, benefits, and architecture of Fedora Hummingbird.
What Is Fedora Hummingbird?
Fedora Hummingbird is a new rolling Linux distribution that leverages a container-based approach to deliver up-to-date and secure software. Unlike traditional distributions that rely on package managers and periodic updates, Fedora Hummingbird uses an image-based workflow similar to containers. This means the entire operating system is delivered as immutable images, which can be booted on virtual machines or bare metal. The foundation for Fedora Hummingbird already exists in the Hummingbird containers repository, and you can pull and boot it today. By providing access to software as soon as it's available upstream, the distribution ensures high security and currency, while the stateless, distroless design minimizes attack surfaces.
How Does Fedora Hummingbird Connect to Project Hummingbird?
Project Hummingbird is the upstream initiative focused on creating minimal, hardened container images with the goal of achieving zero CVE reports continuously. Fedora Hummingbird applies this exact model from the container level down to the host operating system. While Project Hummingbird ships individual distroless images (like for Python, Go, Node.js, etc.), Fedora Hummingbird extends that philosophy to the OS itself. Both share the same principles: hermetic builds, minimal package footprints, and automated CVE triage. Therefore, if you've followed Project Hummingbird or Bluefin's work, you already understand the underlying concept—Fedora Hummingbird simply scales it to cover the full system.
How Does Fedora Hummingbird Achieve Near-Zero CVEs?
The core of Fedora Hummingbird's security is its fully automated pipeline built on Konflux. Every image is built from pinned package lists in isolated, reproducible environments. The pipeline continuously scans for vulnerabilities using Syft and Grype. When a CVE is patched upstream, the system automatically rebuilds and tests the affected images. Additionally, the distroless nature—removing package managers, shells, and unnecessary utilities—drastically reduces the attack surface. The team also developed a tool called chunkah, which ensures efficient incremental updates by redownloading only changed parts of an image. Combined, these measures allow Fedora Hummingbird to stay ahead of threats, with current CVE status published live on the Hummingbird catalog.
What Are Distroless Images and Why Are They Used?
Distroless images are container images that contain only the absolute minimum needed to run an application: the application itself, its runtime dependencies, and nothing else—no package manager, no shell, no system utilities. Fedora Hummingbird uses distroless images to minimize the attack surface and eliminate unnecessary vulnerabilities. When you pull a third-party container image today, you inherit all its CVEs and must manage patches yourself. With Fedora Hummingbird, that burden is removed—the pipeline already triages, patches, and rebuilds every image. Currently, the catalog includes 49 unique distroless images covering languages like Python, Go, Node.js, Rust, and services like PostgreSQL, nginx, and many more. Each image is also available in multiple variants, including FIPS and multi-architecture versions.
What Build Pipeline Powers Fedora Hummingbird?
The distribution relies on a Konflux-based pipeline that automates the entire build, scan, and release cycle. It uses fully isolated, reproducible builds from pinned package lists to ensure consistency. Incremental updates are handled by chunkah, a custom tool that redownloads only changed parts of an image, making updates fast and bandwidth-efficient. After building, every image undergoes continuous vulnerability scanning with Syft and Grype. When a fix is applied upstream, the pipeline detects the change, rebuilds the affected image, runs tests, and ships the updated version. This fully automated flow means that users always receive the latest patched images without manual intervention, aligning with the zero-CVE goal.
How Does Fedora Hummingbird Relate to Fedora Rawhide?
Over 95% of the packages in Fedora Hummingbird images come directly from Fedora Rawhide, the rolling development branch of Fedora, unchanged. The remaining packages are sourced directly from upstream when Rawhide doesn't carry them or the version is too old. The team actively contributes changes back to Fedora Rawhide, ensuring that the wider Fedora ecosystem benefits as well. This relationship makes Fedora Hummingbird a natural extension of the Fedora project, providing a minimal, hardened OS while still drawing on Fedora's robust package base. For comparison, Fedora CoreOS is a minimal host for orchestrated workloads, whereas Fedora Hummingbird targets a broader use case with its distroless, container-native approach.
Who Should Use Fedora Hummingbird and for What Use Cases?
Fedora Hummingbird is ideal for developers and organizations that prioritize security and up-to-date software without the overhead of managing CVEs manually. Its image-based deployment makes it suitable for reproducible environments, CI/CD pipelines, and edge deployments where immutability is valued. Because it runs on both virtual machines and bare metal, it can be used for server workloads, container hosts, or even desktop experimentation—though it's primarily designed for serverless and containerized applications. The rolling nature ensures access to the latest language runtimes and services as soon as they're released. By eliminating the need for a package manager and shell, the distribution reduces attack vectors, making it a strong choice for security-conscious deployments.