severity 1128393 normal thanks Hello!
Thanks for your report bincrypter is a tool that encrypts and obfuscates ELF binaries and shell scripts using AES-256-CBC via openssl, producing a self-decrypting wrapper that executes entirely in memory. Its only runtime dependencies are /bin/sh, perl, and openssl, all of which are already present in Debian. I use this tool regularly in my own work. When I deliver shell scripts to clients, I often need to protect the source code to preserve the intellectual property behind them. There is no clean native mechanism in Linux to achieve this for shell scripts, and bincrypter fills that gap in a practical way. Beyond that personal use case, it is useful in authorized penetration testing engagements to simulate realistic scenarios, and it serves an educational purpose for anyone studying how in-memory execution and symmetric encryption interact at the OS level. Debian already ships tools with equivalent or overlapping functionality. The package shc, described as a "shell script compiler" and available in bullseye, bookworm, and sid, converts shell scripts into encrypted compiled binaries specifically to prevent inspection of the source. That is essentially the same problem bincrypter solves, approached differently. The package upx-ucl, described as an "efficient live-compressor for executables" and available in Debian stable, packs and transforms ELF binaries in ways that also alter their binary signature. UPX is well known to be used by malware authors for the same reason it is used by legitimate developers, yet its practical utility has always justified its presence in Debian. The same reasoning applies here. More broadly, Debian has a long history of including dual-use security tools. hydra, nmap, john, hashcat, and patator are maintained in Debian precisely because the possibility of misuse does not disqualify a tool when legitimate use cases exist and distribution is legal. bincrypter meets both of those conditions. I do acknowledge that the upstream documentation emphasizes offensive security scenarios more than it should for a general-purpose packaging tool. I will work to improve both the upstream README and the package description to better reflect the full range of legitimate uses and provide clearer context around authorized use in security testing. -- Daniel Echeverri Debian Developer Linux user: #477840 GPG Fingerprint: D0D0 85B1 69C3 BFD9 4048 58FA 21FC 2950 4B52 30DB
