Is this command to remove old kernels safe to use?

command-line security package-management

Solution 1:

I'd say: don't use it in the current form

  1. It makes changes without asking you. The apt-get -y purge part allows the one-liner to start executing purging packages, without your confirmation. If any error in the script exists, then you could be screwed.

  2. No source, no author given. The source of it makes a difference here. In case it would come from a thoroughly tested system package we can trace the testing being done onto it. From a random source, we can't trust it.

  3. dpkg -l runs fine without sudo. I don't see why the original author thought this was necessary.

Use common sense

Remove the harmful parts and leave out anything that runs as root.

For example, cut it down to this:

dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d'

which just only outputs stuff and runs with regular user permissions. Once you agree with these kernels to be removed, you can append | xargs sudo apt-get purge yourself. It's without the -y option, intentionally, so you'll be asked for confirmation on the changes about to be made to your system.

Explanation

  • dpkg -l Outputs the list of all packages. In this case it will only list packages starting with linux- as the name.
  • | (a pipe) pipes the output of the command on the left (we call that stdout) to the input of the command on the right (we call that stdin).
  • sed is a tool to manipulate strings using regular expressions. In this case it manipulates the output of the command on the left of the pipe and filters for installed packages (relying on the ii as given by dpkg). It is even being nested in this case. It would be too hard to explain the whole use of sed here, as its use is very complicated with the complex regular expressions. (the \(.*\)-\([^0-9]\+\)" is an example of a regular expression.
  • Regular expressions are very widely used to find matches based on the expression they represent. \1 is the replacement reference to do a sort of universal search-and-replace (referencing to the first 'hit' with 1). The regular expression themselves can't do any harm. However, if they manipulate the input in a wrong way, they can have you remove the wrong packages or even do shell injection. In this case it looks like a way to find the name of the kernel package based on the version provided by uname -r.
  • uname -r outputs the current version of the kernel running.
  • xargs appends the lines of the input left of the pipe as arguments to the command. In this case, the kernel versions on each line are converted to a horizontal space-separated list and appended to the sudo apt-get command.
  • sudo apt-get -y purge [packagename] purges (removes everything) of the packages given (as arguments).

Alternatives

Quite some question are probably already asked about this. Relevant ones I found so far:

  • How to "clean" previous kernels after update?
  • How do I remove old kernel versions to clean up the boot menu?

  • From this answer, the following command seems to do the same in a much safer and more common way:

    sudo apt-get purge $( dpkg --list | grep -P -o "linux-image-\d\S+" | grep -v $(uname -r | grep -P -o ".+\d") )

Solution 2:

You asked for a step-by-step explanation so here goes:

sudo dpkg -l 'linux-*'

Lists packages starting with linux- in the package name

| sed

and pipe the list into sed

"s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d'

which will use a very complicated regular expression to edit the list

| xargs

which will pipe the new list into xargs, which will send it as an argument to

sudo apt-get -y purge

which will purge those packages without giving you a chance to change your mind.

Or perhaps it's more accurate to say it will send that list into the purge command and leave it at that. Whether or not anything is purged — and importantly — exactly what is purged depends on the ouput of the previous commands.

Is it safe? In this case that all depends on how well the author of the post where you found it understands regular expressions and sed syntax. And there are whole books on both of those topics.

Related

How do I remove XFCE from my computer?
php5-imap on Ubuntu 14.04 is not enabled
"Shockwave Flash is known to be vulnerable" warning
Software Updater - Not all updates can be installed
DNS at systemd's 127.0.0.53 is ignoring some lookups
How to delete duplicate files with fdupes?
Install laravel 5 on Ubuntu 16.04
What does "rf" mean in "rfkill"?
13.04 - more than four workspace shortcuts in GNOME Flashback (No effects)
Run plist command every 5 seconds
Huge system file size CloudDocs
Set "Always on Top" for a window