Fedora Hummingbird: A Rolling Release Built on Security-First Containers

Fedora Hummingbird is a groundbreaking Linux distribution from Red Hat that reimagines operating system security by shipping the entire OS as an OCI container image. It leverages the security-first pipeline originally developed for Project Hummingbird’s container catalog, automatically patching vulnerabilities as soon as upstream fixes are available. This rolling release tracks Fedora Rawhide closely, uses a dedicated Konflux build pipeline, and offers atomic updates with rollback support. Below, we answer the most common questions about this hardened distro.

What is Fedora Hummingbird and how does it differ from standard Fedora?

Fedora Hummingbird is a new rolling release distribution that ships the entire operating system as an OCI image, built on the security-first pipeline behind Project Hummingbird’s container catalog. Unlike standard Fedora which follows a fixed six-month release cycle, Hummingbird tracks Fedora Rawhide continuously. It uses a Konflux-based build pipeline, drawing over 95% of its packages from Rawhide and pulling the rest from upstream sources. Any fixes made along the way are fed back into the Fedora project. The goal is to maintain a near-zero CVE status by automatically rebuilding images when upstream patches become available. This makes it radically different from Fedora’s traditional releases, offering a constantly updated, hardened environment aimed at developers and cloud-native workloads rather than desktop users.

How does the security-first pipeline work?

The pipeline is inspired by Project Hummingbird’s container catalog, which Red Hat introduced as an early access program for subscribers in November 2025. The core idea is to ship minimal, hardened, distroless container images kept at near-zero CVE status. When a vulnerability is patched upstream, the build pipeline automatically detects it, rebuilds the affected image, and deploys the update. For Fedora Hummingbird, the same logic is applied to a full operating system. Red Hat’s Product Security team maintains a vulnerability feed for each package, providing a clearer picture of what actually affects your setup rather than a generic CVE list. This per-package tracking allows the pipeline to react immediately to emerging threats, ensuring that Hummingbird stays one step ahead of exploits.

How does Fedora Hummingbird compare to Fedora Atomic Desktops like Silverblue?

While both are immutable distributions, they target very different use cases. Fedora Atomic Desktops—Silverblue, Kinoite, and others—are rpm-ostree-based desktop variants built from the standard Fedora package set and released on the regular six-month cycle. They are designed for end users who want a stable, immutable desktop experience. Fedora Hummingbird, on the other hand, ships no desktop environment. It is a rolling release that directly tracks Fedora Rawhide, built through its own dedicated pipeline where every package carries independent CVE tracking and its own lifecycle. The target audience is developers and cloud-native workloads, not desktop users. Additionally, Hummingbird’s atomic updates come with rollback support, a read-only root filesystem, and writable state confined to /var and /etc, mirroring container-like behavior.

What kernel does Fedora Hummingbird use?

Fedora Hummingbird is powered by the Always Ready Kernel (ARK) from the CKI (Continuous Kernel Integration) project. ARK follows the mainline Linux kernel closely and is already used in other Fedora editions. This choice ensures that Hummingbird benefits from the latest kernel improvements, security patches, and hardware support as soon as they are available upstream. The CKI project’s rigorous testing pipeline further guarantees stability, making ARK a solid foundation for a security-focused, rolling release distribution.

What are the key system characteristics of Fedora Hummingbird?

The distribution is built with several distinctive features to enhance security and reliability. All updates are atomic with full rollback support, meaning you can revert to a previous state if an update causes issues. The root filesystem is mounted read-only, preventing unauthorized modifications to system files. Writable state is limited to /var and /etc, following best practices from containerized environments. This design minimizes the attack surface and ensures that system integrity is maintained. Combined with the automated vulnerability patching pipeline, these characteristics make Fedora Hummingbird one of the most hardened Linux distributions available.

Who is Fedora Hummingbird intended for?

Fedora Hummingbird is explicitly designed for developers and cloud-native workloads, not for general desktop use. It ships no desktop environment, making it ideal for running containerized applications, server deployments, or as a base for building custom, minimal images. The rolling release model and per-package CVE tracking appeal to DevOps teams and security-conscious users who need immediate access to the latest patches and features. Because it is still experimental and not production-ready, it is best suited for testing, development, and evaluation in non-critical environments.

How can I download and try Fedora Hummingbird? Is it production-ready?

Fedora Hummingbird images are available for download on the x86_64 and aarch64 platforms. No subscription or registration is required. However, the project is currently experimental and not suitable for production use. The download page includes step-by-step instructions for setting up a virtual machine. The source code lives on GitLab and is open for contributions. This early access gives the community a chance to test the concept, provide feedback, and help shape the future of this hardened rolling release distribution.