Packaging for Debian

[U039b]

Hi! In order to add spytrap to PiRogue, would it be possible to provide a Debian package for arm64 and amd64 architectures?

[kpcyrd]

Hi, thanks for reaching out!

I run an apt repository over at https://apt.vulns.xyz, would it be enough to provide packages there? If so, I could try to revisit my tooling, the repository currently only offers x86_64 and my work stalled when I noticed it's quite difficult to properly support multiple Debian releases correctly. I've checked very briefly and it seems you'd need packages for Debian 12/bookworm, is that correct?

I've also checked how much is missing to provide an official Debian package, noticed it's surprisingly little and went ahead to prepare the remaining packages:

• [x] ratatui 0.23.0-5
• [x] forensic-adb
• [x] stalkerware-indicators
• [x] spytrap-adb

Not sure how useful this would be for you though, as the feedback loop through an official Debian release is quite long.

Thanks for your work with PiRogue btw, I'm very happy to help!

Lastly, note this is a TUI application based on ratatui (which is similar to ncurses), so integrating it into a web interface may be challenging. There's a scan subcommand but it's currently not very useful.

[U039b]

Thank you, @kpcyrd. We only support Debian 12 and regarding the packages for spytrap, 2 options are possible:

• we pull your .deb from your PPA
• we pull your .deb from GitHub releases All the packages we provide are available on our PPA (not available on official Debian repository). Regarding the UI, TUI is totally fine.

[kpcyrd]

I've rewritten my apt tooling and you can now install a package like this:

sudo apt install ca-certificates curl gnupg
curl -sSf https://apt.vulns.xyz/kpcyrd.pgp | gpg --dearmor |  sudo tee /etc/apt/trusted.gpg.d/apt-vulns-xyz.gpg > /dev/null
echo deb https://apt.vulns.xyz stable main | sudo tee /etc/apt/sources.list.d/apt-vulns-xyz.list
apt update
apt install spytrap-adb

In case you notice any issues let me know so I can fix them before the next 0.3.2 release. :)

The .deb files (and therefore also the binaries in them) can be bit-for-bit reproduced according to the definition of Reproducible Builds, documentation for this is in the README of the repo linked above.

[CyrilBrulebois]

Great news!

FWIW apt understands ASCII-armored and binary keys, just store them with the right extension (.asc and .gpg respectively).

I'll let @U039b do the actual testing. :)

[kpcyrd]

I didn't get around to writing the blogpost yet for the apt.vulns.xyz repository, but there's now also an official package in Debian unstable: https://packages.debian.org/sid/spytrap-adb

I've briefly tested and it's possible to install the sid .deb on a bookworm system, but I can't guarantee this is going to keep working indefinitely with future versions (your mileage may vary).