Fedora Hummingbird: A Rolling, Container-Native OS for the Security-Conscious Developer

Introducing Fedora Hummingbird

At Red Hat Summit 2026, the team behind Project Hummingbird unveiled Fedora Hummingbird, a cutting-edge rolling Fedora Linux distribution built on a containerized foundation. This new operating system brings the same image-based, distroless workflow that made Hummingbird container images popular directly to the host OS, virtual machines, and bare metal. If you've followed Project Hummingbird's container work or Project Bluefin's OS-level innovations, you already grasp the core philosophy—now applied end-to-end.

The distribution is already bootable today from the Hummingbird containers repository, providing immediate access to the latest upstream software while maintaining rigorous security standards. Fedora Hummingbird represents a paradigm shift: instead of inheriting vulnerabilities from third-party images, its pipeline handles CVE triage, patching, and rebuilds automatically—eliminating the dreaded "CVE hell."

The Vision Behind Project Hummingbird

Project Hummingbird was born from a single ambitious goal: achieve and sustain near-zero CVE reports in every container image it produces. Every architectural decision—from distroless images and minimal package footprints to hermetic builds and deep pipeline automation—serves that objective. The result? Distroless images contain no package manager, no shell—just the application and its strict runtime dependencies.

Why does this matter? When you pull a typical third-party container image, you inherit its vulnerabilities and assume responsibility for patching them. With Hummingbird, the team's pipeline already triages, patches, and rebuilds continuously. Current CVE status across all images and variants is published live in the Hummingbird catalog.

A Growing Catalog of Hardened Images

Over the past eight months, the Hummingbird team has built a catalog of 49 unique minimal, hardened, distroless container images—spanning 157 variants including FIPS, multi-arch, and more. Supported runtimes cover Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and dozens of others. Each image strips away everything except what the application needs, significantly reducing the attack surface.

How It's Built: The Pipeline

The entire infrastructure runs on a Konflux-based pipeline that delivers fully isolated, reproducible builds from pinned package lists. Key innovations include:

• Chunkah: A custom tool developed by the Hummingbird team that ensures the system re-downloads only changed parts of an image during incremental updates, drastically reducing bandwidth and time.
• Continuous vulnerability scanning using Syft and Grype. When a patch becomes available upstream, the pipeline detects it, rebuilds the affected images, runs tests, and ships the updated version.
• 95%+ raw package sourcing directly from Fedora Rawhide, unmodified. The remaining packages come from upstream sources when Rawhide doesn't yet carry them or isn't new enough—and those changes are contributed back to Fedora.

This approach echoes Fedora CoreOS but serves a different niche: CoreOS targets minimal host systems for orchestrated workloads, while Hummingbird focuses on developer-ready, security-first images for both containers and now the full OS.

Why This Matters for Developers

Fedora Hummingbird eliminates the friction of vulnerability management. Developers can pull an image—or boot the OS—knowing the pipeline has already performed CVE triage and patching. It's a self-updating, rolling release that stays current without manual intervention. The same principles that made Hummingbird containers popular now extend to the entire operating system, offering a unified experience from development to production.

For teams building cloud-native applications, this means less time wrestling with dependencies and more time coding. The distroless approach reduces container image sizes, improves startup times, and minimizes attack surfaces—all while maintaining compatibility with the vast Fedora ecosystem (95%+ Rawhide packages).

Getting Started Today

Fedora Hummingbird is already available. You can pull and boot it directly from the Hummingbird containers repository. The rolling release model ensures you always have the latest software as soon as it lands upstream. Whether you're deploying containers, spinning up VMs, or running on bare metal, Fedora Hummingbird delivers a secure, minimal, and continuously updated operating system.

For more details on the technology, check out the Project Hummingbird page or explore the live CVE status at the catalog. The future of Fedora is container-native, rolling, and security-first—and it's ready now.