Breaking down a command to install Ros2

Question

I am installing Ros2 on my Ubuntu PC and want to make sure the installation steps won't affect my PC. In particular, what does this command actually do?

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/ros-archive-keyring.gpg] http://packages.ros.org/ros2/ubuntu $(. /etc/os-release && echo $UBUNTU_CODENAME) main" | sudo tee /etc/apt/sources.list.d/ros2.list > /dev/null

Please break it down for me.

Answer 1

The overall command echo "..." | sudo tee /etc/apt/sources.list.d/ros2.list > /dev/null writes some content into the /etc/apt/sources.list.d/ros2.list file. It uses this structure because typically you need to be root to create or modify files in /etc/apt/sources.list.d, and echo ... | sudo tee ... is a common way to do avoid permission errors that arise with sudo echo ... > ....

Now for the content being written:

deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/ros-archive-keyring.gpg] http://packages.ros.org/ros2/ubuntu $(. /etc/os-release && echo $UBUNTU_CODENAME) main

This uses command substitution $(…) twice, where the entirety of $(…) is replaced with output of the commands inside it.

1. The first use is for dpkg --print-architecture, which prints the default architecture of your Ubuntu installation. So this part will be replaced with something like amd64, arm64, etc.
2. The second use is . /etc/os-release && echo $UBUNTU_CODENAME. This is a way to print the codename associated with an Ubuntu release (focal, jammy, noble, etc.). The /etc/os-release contains various variables in a shell-friendly format with details of the OS, like OS family, version, code name, etc.

All told, the content will reduce to something like:

deb [arch=amd64 signed-by=/usr/share/keyrings/ros-archive-keyring.gpg] http://packages.ros.org/ros2/ubuntu jammy main

This is a sources.list entry which is restricted to the default architecture (so if you're on amd64 and also added i386, this repo will only be used for amd64), and uses a specific signing key.

It's a fairly normal sources.list entry. But the whole point of the command is that it will affect your PC. Adding a software source is a significant change. If tomorrow this repo adds packages like bash or gnome-shell, those might well end up overriding the corresponding packages in the Ubuntu repos and getting installed on your system. Not likely, but it could happen.

Answer 2

When you run apt update, you see some output like this:

Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [3758 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1245 kB]  
Get:9 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [3733 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]             
Get:12 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [3882 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4230 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1530 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.5 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]

In this stage, apt is simply downloading information from repositories (not to be confused with Git repositories—you won't find these on GitHub) about what packages are available. Then, when you run apt install foo, apt searches the information from each of these repositories for which has the most up-to-date version of the package foo, then downloads it from the source configured there. In summary, you have multiple repositories configured, each providing any number of packages. Apt searches all of them for the most up-to-date version of packages you request.

By running the command you showed, you are creating a new file in /etc/apt/sources.list.d—where apt looks to find what repositories are accessible—to add http://packages.ros.org/ros2/ubuntu as a trusted repository. This means that you'll see another line mentioning that URL in the apt update output.

You've now trusted the packages provided by that repository that are cryptographically signed by the key at /usr/share/keyrings/ros-archive-keyring.gpg to be installed on your system (this is why it doesn't matter why you're using HTTP instead of HTTPS—verification is provided separately). The purpose of this repository is to provide packages that Ubuntu doesn't provide itself—all of those in ROS2. However, a malicious holder of that key could also publish a malicious package, possibly masquerading as an actual Ubuntu package. You're trusting the OSRF Infrastructure Team to not do so.

If you don't trust them, consider installing in a virtual machine or Docker environment.