Fedora Hummingbird Q&A: Container-Based Rolling Linux for Zero CVE Management

Welcome to our comprehensive Q&A on Fedora Hummingbird, a groundbreaking new rolling Fedora Linux distribution announced at Red Hat Summit 2026. Built on the principles of Project Hummingbird, this image-based OS extends the distroless container model to the entire system, aiming for near-zero Common Vulnerabilities and Exposures (CVEs). Below, we answer the most pressing questions about how it works, why it matters, and how you can get started today.

What exactly is Fedora Hummingbird?

Fedora Hummingbird is a container-based rolling release of Fedora Linux. Unlike traditional distributions that update major versions periodically, Hummingbird delivers the latest upstream software continuously, ensuring your system stays both current and secure. It primarily uses an image-based workflow similar to containers, but it can also run in virtual machines or directly on bare metal. The key innovation is applying Project Hummingbird’s container image model—already proven for minimal, hardened images—to the host operating system itself. This means the entire OS is built, updated, and managed like a container, with all the benefits of hermetic builds, minimal footprints, and automated vulnerability handling. The foundation ships today from the Hummingbird containers repository and is ready to boot right now.

What is Project Hummingbird and how does it relate to this OS?

Project Hummingbird is the upstream initiative behind Fedora Hummingbird. Its core mission is to achieve and maintain near-zero CVE reports across every container image it ships. The project makes every architectural decision—like using distroless images, minimal package sets, hermetic builds, and extensive pipeline automation—in service of that goal. Fedora Hummingbird extends this philosophy from individual containers to the full operating system. So when you use Fedora Hummingbird, you inherit the same rigorous CVE triage, patching, and rebuild processes that the project applies to its container catalog. The result: you skip “CVE hell” because the team’s pipeline has already handled vulnerability detection and remediation before the image reaches you. Current CVE status across all variants is published live at the Hummingbird catalog.

How does Fedora Hummingbird achieve near-zero CVEs?

The secret lies in a fully automated Konflux-based pipeline. This pipeline uses isolated, reproducible builds from pinned package lists. Every package is vetted: over 95% come directly from Fedora Rawhide unmodified, while the remainder are sourced from upstream when Rawhide is insufficient—and then contributed back to Fedora. Continuous vulnerability scanning is performed with Syft and Grype. When an upstream fix is released, the pipeline automatically finds it, rebuilds the affected images, runs tests, and ships the update. Efficient incremental updates are handled by a custom tool called chunkah, which ensures only changed parts of an image are re-downloaded. This near-real-time cycle keeps CVE exposure to a minimum. The result is a distribution where you rarely need to manually patch or worry about inherited vulnerabilities—the system takes care of it.

What are distroless images and why are they important?

Distroless images contain only the application and its strict runtime dependencies—no package manager, no shell, no unnecessary tools. Project Hummingbird pioneered this approach for containers, and Fedora Hummingbird applies it to the host OS. Why does this matter? When you pull a typical third-party image, you inherit all the vulnerabilities from every included package and utility. With distroless, the attack surface is drastically reduced because there’s simply less code to exploit. Additionally, the absence of a package manager means you can’t accidentally install vulnerable software later. The Hummingbird pipeline builds each image from scratch with exactly the required packages, eliminating bloat and ensuring every component is accounted for. This minimal footprint also speeds up deployment and reduces storage requirements.

What types of images are already available?

Over the past eight months, the Project Hummingbird team has built a catalog of 49 unique minimal, hardened, distroless container images—totaling 157 variants when including FIPS and multi-architecture versions. These cover popular runtimes and applications: Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and dozens more. Each variant is continuously scanned, patched, and rebuilt. Fedora Hummingbird builds on this foundation, packaging those same principles into a full operating system image. So if you need a minimal, secure base for a web server, database, or microservice, you can pull a Hummingbird container image. If you need a complete OS that lives by those same rules, Fedora Hummingbird delivers that experience.

How does Fedora Hummingbird differ from Fedora CoreOS?

Both projects share a common lineage—they use image-based updates and leverage Fedora—but they serve different use cases. Fedora CoreOS is designed as a minimal host for orchestrated container workloads, typically managed by Kubernetes or other schedulers. It includes a package manager for occasional customization. Fedora Hummingbird, on the other hand, targets anyone who wants a rolling, security-hardened desktop or server that is updated continuously and has no package manager by default. It is distroless from the ground up, meaning the entire OS is just what’s needed to run applications. CoreOS focuses on cluster readiness; Hummingbird focuses on zero CVE across the stack, including the kernel and user space.

Can I try Fedora Hummingbird right now?

Absolutely! The foundation for Fedora Hummingbird already ships today from the Hummingbird containers repository. You can pull and boot it immediately. The rolling release model ensures you always have the latest updates without manual intervention. Installation methods vary: you can run it as a container, spin up a virtual machine, or install it on bare metal using the provided images. Detailed instructions are available on the project’s website. Since it’s rolling, expect continuous improvements—the team is actively adding more base images and refining the pipeline. Jump in and experience the future of secure, minimal Linux.