Fedora Hummingbird: A New Hardened Rolling Release for Cloud-Native Workloads

In an era where Linux vulnerabilities emerge frequently, Red Hat introduces Fedora Hummingbird—a rolling release distribution built for maximum security. Entirely shipped as an OCI image, it leverages a security-first pipeline to maintain near-zero CVEs. This Q&A explores how Hummingbird works, its unique features, and how it compares to other Fedora variants.

What is Fedora Hummingbird and how is it different from standard Fedora?

Fedora Hummingbird is a new rolling release Linux distribution that ships the entire operating system as an OCI container image. Unlike standard Fedora, which follows a fixed release cycle, Hummingbird tracks Fedora Rawhide continuously. It is built on the security-first pipeline from Red Hat's Project Hummingbird, originally an early access program for subscribers in November 2025. The distribution targets developers and cloud-native workloads, not desktop users. It offers atomic updates with rollback, a read-only root filesystem, and writable state confined to /var and /etc. Standard Fedora uses a traditional package manager and release cycle, whereas Hummingbird's containerized approach makes it ideal for immutable, hardened infrastructure.

How does Fedora Hummingbird achieve near-zero CVE status?

The core of Fedora Hummingbird's security is its Konflux-based build pipeline. Each package includes independent CVE tracking and a dedicated lifecycle managed by Red Hat's Product Security team. Instead of a generic CVE list, users receive a vulnerability feed specific to each package, clarifying which issues actually affect their setup. When an upstream vulnerability is patched, the pipeline automatically detects it, rebuilds the affected image, and ships the fix. This continuous, automated process keeps the distribution's CVE count as close to zero as possible, even for a full-sized operating system.

What build pipeline and package sources does Fedora Hummingbird use?

Fedora Hummingbird uses a dedicated Konflux build pipeline. Over 95% of its packages come from Fedora Rawhide, the development branch of Fedora. For any packages not yet available in Rawhide, the pipeline pulls directly from upstream sources. Furthermore, any fixes or improvements made during this process are contributed back to Fedora, strengthening the entire ecosystem. This approach ensures a continuous flow of the latest software while maintaining a tightly controlled, secure build environment.

How does Fedora Hummingbird handle updates and system state?

All updates in Fedora Hummingbird are atomic, meaning they are applied as a whole unit. If an update fails or causes issues, the system can instantly roll back to the previous state. The root filesystem is mounted read-only to prevent unauthorized changes, while writable state is stored exclusively in /var and /etc. This design enhances security and stability, as the core system remains immutable. The atomic update mechanism, combined with automated rebuilding upon vulnerability patches, ensures that the system stays current and resilient with minimal manual intervention.

What kernel powers Fedora Hummingbird?

Fedora Hummingbird uses the Always Ready Kernel (ARK) from the Continuous Kernel Integration (CKI) project. This kernel follows the mainline Linux kernel closely and is already present in other Fedora distributions. By leveraging ARK/CKI, Hummingbird benefits from the latest kernel features, security fixes, and hardware support. The choice of a rolling kernel aligns with the distribution's rolling release model, ensuring that users always have access to cutting-edge kernel improvements without waiting for a new release cycle.

How is Fedora Hummingbird different from Fedora Atomic desktops like Silverblue?

Fedora Atomic desktops (Silverblue, Kinoite, etc.) are rpm-ostree-based immutable variants built from the standard Fedora package set on a six-month release cycle. They target end users seeking a stable, immutable desktop experience. In contrast, Fedora Hummingbird is a rolling release with no desktop environment, tracking Fedora Rawhide directly. It uses a dedicated build pipeline where each package has independent CVE tracking and lifecycle management. The target audience for Hummingbird is developers and cloud-native workloads requiring a hardened, minimal, and frequently updated operating system—not desktop users.

How can I download and try Fedora Hummingbird?

Fedora Hummingbird is currently experimental and not production-ready. It is available for download on x86_64 and aarch64 platforms with no subscription or registration needed. The project's source code is hosted on GitLab, open for contributions. The download page includes step-by-step instructions for setting up a virtual machine. You can start exploring its security features and rolling updates immediately. Keep in mind that as an experimental release, it is best suited for testing and development environments.