Fedora Hummingbird: A Rolling OS with a Security-First Mindset

Welcome to the world of Fedora Hummingbird, a trailblazing Linux distribution unveiled at Red Hat Summit 2026. It takes the innovative container-based model from Project Hummingbird and extends it to the entire operating system, offering a rolling release that stays perpetually up-to-date and secure. Whether you're running in virtual machines, on bare metal, or in the cloud, Fedora Hummingbird delivers a streamlined, image-based workflow that slashes vulnerability management headaches. In this Q&A, we explore what sets it apart, how it achieves near-zero CVEs, and why it might be your next go-to OS for development and production.

What exactly is Fedora Hummingbird?

Fedora Hummingbird is a rolling Fedora Linux distribution built on a container-like, image-based workflow. Announced at Red Hat Summit 2026, it provides access to the latest upstream software as soon as it's available, ensuring you always run the most current and secure versions. Unlike traditional distributions that require full upgrades, Hummingbird uses atomic images that can be deployed on virtual machines, bare metal, or even containers. The key idea is to apply the proven Project Hummingbird model—focused on minimalism and security—all the way down to the host operating system. This means you get a lean, hardened OS that's updated continuously, with minimal attack surface and no package manager bloat in the default runtime.

Fedora Hummingbird: A Rolling OS with a Security-First Mindset — Source: fedoramagazine.org

How does Fedora Hummingbird relate to Project Hummingbird?

Project Hummingbird is the upstream initiative that birthed the core technology behind Fedora Hummingbird. The project's central aim is to ship container images with as close to zero CVE reports as possible and maintain that state continuously. It achieves this through distroless images—stripped of shells and package managers—and hermetic, reproducible builds. Fedora Hummingbird takes this exact approach and expands it from container images to a full operating system. The same pipeline, tooling (like chunkah for incremental updates), and vulnerability scanning (via Syft and Grype) are used to build and maintain the entire OS, not just individual application containers. In essence, Fedora Hummingbird is Project Hummingbird's philosophy applied to the whole stack, from the kernel up.

What does "zero CVE" mean in practice?

The goal of zero CVE (Common Vulnerabilities and Exposures) means that every image—whether a container or the full operating system—should have no known vulnerabilities at the time of shipping. The Fedora Hummingbird pipeline automates the entire life cycle: it continuously monitors upstream security patches, rebuilds images, tests them, and pushes updates. For users, this means you pull a Hummingbird image and skip the tedious manual triage of CVEs. The team's infrastructure has already handled patching and verification. As of now, the Hummingbird catalog shows live CVE status for all 49 base images (157 variants including FIPS and multi-arch). This relentless focus on security reduces the attack surface and frees developers from vulnerability management drudgery.

How are the Fedora Hummingbird images built?

Every image is constructed using a Konflux-based pipeline that enforces fully isolated and reproducible builds from pinned package lists. The build process employs chunkah, a custom Hummingbird tool that calculates minimal diffs so only changed parts of an image are re-downloaded, saving bandwidth and time. Continuous vulnerability scanning with Syft and Gryfe ensures that when an upstream fix lands, the pipeline detects it, rebuilds the affected images, runs tests, and publishes the update. Remarkably, over 95% of the packages come straight from Fedora Rawhide, unmodified. The remaining packages are sourced directly from their upstream projects when Rawhide doesn't yet include them or is too outdated. Hummingbird contributors also feed those changes back into Fedora, strengthening the ecosystem.

How is Fedora Hummingbird different from Fedora CoreOS?

While both are minimal Fedora-based operating systems with automated updates, they serve different purposes. Fedora CoreOS is tailored for orchestrated container workloads, designed primarily for clusters like Kubernetes. It's built to be a lightweight host that runs containers. Fedora Hummingbird, on the other hand, is a full, rolling operating system that inherits the distroless, zero-CVE philosophy from Project Hummingbird. It's not just a host; it's a complete OS that can run on bare metal, VMs, or as a base for development environments. CoreOS focuses on being a minimal host for orchestrated workloads, while Hummingbird emphasizes absolute security and up-to-dateness across the entire system, making it suitable for both development and production scenarios where vulnerability management is paramount.

Can I start using Fedora Hummingbird today?

Absolutely! The foundation for Fedora Hummingbird is already available from the Hummingbird containers repository. You can pull a bootable image right now and run it on your hardware or in a VM. The rolling release model means you'll receive continuous updates just like the container images. Since the OS shares the same pipeline and tooling, you benefit from the same near-zero CVE guarantees and efficient updates via chunkah. Whether you're a developer wanting a clean, secure environment or an operator tired of patching, Fedora Hummingbird is ready for you to explore today.

Tags: