Fedora Hummingbird, announced at Red Hat Summit 2026, represents a paradigm shift in operating system design. This container-based rolling distribution brings the minimal, secure, and continuously updated model of Project Hummingbird's container images to the full OS, running on bare metal, VMs, or as a container. Below, we answer key questions about this innovative distribution.
What is Fedora Hummingbird?
Fedora Hummingbird is a new, container-based rolling Fedora Linux distribution. It provides immediate access to the latest upstream software, ensuring the OS and its workloads stay current and secure. Unlike traditional distros, it uses an image-based workflow similar to containers, but extends this model to the entire host operating system. You can pull and boot Fedora Hummingbird right now from the Hummingbird containers repository. It's designed to run in virtual machines, on bare metal, or as a container itself. The core philosophy comes from Project Hummingbird: achieve near-zero CVE reports in every shipped artifact. Fedora Hummingbird applies that same approach to the full OS stack, making it ideal for developers and organizations that prioritize security and up-to-date environments without the overhead of traditional package management.
How is it different from standard Fedora?
Standard Fedora releases are fixed-point releases with a 6-month cycle, using a full package manager (DNF) and a large software set. Fedora Hummingbird is a rolling release, meaning software updates arrive continuously as soon as they're available upstream. It's also distroless: no package manager, no shell, just the application and its strict runtime dependencies. The OS image itself is built from minimal, pinned package lists with hermetic builds. This drastically reduces the attack surface and the number of CVEs to manage. While Fedora CoreOS provides a minimal host for orchestrated containers, Fedora Hummingbird targets a broader use case: it can run containerized or traditional applications directly, all while maintaining a rolling, security-hardened foundation. The build pipeline uses Konflux, Syft, and Grype for continuous vulnerability scanning and automatic rebuilding.
What is Project Hummingbird?
Project Hummingbird is the upstream initiative behind Fedora Hummingbird. Its central goal: eliminate CVE reports from every container image it ships and keep them at zero continuously. To achieve this, the team made architectural decisions including distroless images, minimal package footprints, hermetic builds, and extensive pipeline automation. Over the past eight months, Project Hummingbird has built a catalog of 49 unique minimal, hardened, distroless container images (157 variants including FIPS and multi-arch) covering languages and runtimes like Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and many more. When you pull a Hummingbird image, the team's pipeline has already triaged and patched vulnerabilities—so you skip the CVE hell. Current CVE status across all images is published live at the Hummingbird catalog. Fedora Hummingbird extends this same philosophy to the host operating system.
How does it achieve zero CVEs?
Fedora Hummingbird achieves near-zero CVE reports through a multi-layered approach. First, it uses distroless images: no package manager, no shell, only the application and essential runtime libraries. This reduces the attack surface dramatically. Second, the build pipeline (based on Konflux) performs fully isolated, reproducible builds from pinned package lists. Tools like Syft and Grype continuously scan for vulnerabilities. When an upstream fix is released, the pipeline automatically detects it, rebuilds the affected image, runs tests, and ships the update. The team also builds chunkah, a tool that ensures only changed parts of an image are re-downloaded, making updates efficient. Over 95% of packages come directly from Fedora Rawhide, unmodified; the remaining are pulled from upstream when needed and contributed back. This continuous, automated process keeps the OS and its containers consistently patched, freeing operators from manual CVE management.
What does "distroless" mean here?
In the context of Fedora Hummingbird, distroless means the operating system image contains only what is strictly necessary to run the application and its dependencies. There is no package manager (like DNF or apt), no shell (bash, sh), no utility suites—just the application binary and the minimal libraries required for execution. This design choice reduces the attack surface because there are fewer components that can harbor vulnerabilities. It also minimizes the image size and update complexity. For example, a distroless Python image will include only the Python interpreter, the Python standard library, and core Linux libraries (glibc, etc.)—but no shell, no curl, no editors. This approach extends to the Fedora Hummingbird host OS itself: the base system is bare-bones, with additional layers added only when needed for specific workloads. The result is a hardened, lean OS that stays secure by having less code to patch.
How is it built?
Fedora Hummingbird is built using a Konflux-based pipeline that ensures reproducible, hermetic builds. The pipeline starts with pinned package lists—exact versions of every dependency. All builds happen in fully isolated environments, eliminating variations. For incremental updates, the team developed chunkah, a tool that computes differences between images and downloads only changed chunks, speeding up updates dramatically. Every build undergoes continuous vulnerability scanning via Syft (for SBOM generation) and Grype (for CVE detection). When a vulnerability is patched upstream, the pipeline identifies the affected images, triggers a rebuild, runs integration tests, and deploys the updated image. Over 95% of packages come from Fedora Rawhide, unmodified. The remaining packages are sourced directly from upstream when Rawhide doesn't carry the latest version, and contributions are made back to Fedora. This pipeline is the same one used by Project Hummingbird for its container catalog, now extended to the full OS.
How does it relate to Fedora CoreOS?
Fedora Hummingbird and Fedora CoreOS share a common heritage in container-based OS design, but they serve different use cases. Fedora CoreOS is a minimal, automatically-updating host for running orchestrated containers (like Kubernetes). It provides a small-footprint OS with tooling for atomic updates and rollbacks, but it still includes a package manager (rpm-ostree) and a selection of system utilities. Fedora Hummingbird goes further: it adopts the distroless model from Project Hummingbird, eliminating the package manager entirely and stripping the OS down to only what's needed for the application. It's a rolling release, continuously integrating the latest upstream software. While CoreOS is ideal for container orchestration environments, Fedora Hummingbird is designed for developers and operators who want a minimal, secure, and always-up-to-date OS for any workload—containerized or not. Both are rolling and image-based, but Fedora Hummingbird takes minimalism to the extreme by removing even the shell and package manager from the base.