If this is for a user programs rather than system components that must be managed by apt, you could use Nix.
By its nature, it keeps track of all dependencies in a queryable format and Nix stores are actually quite portable; you can just
nix copy /nix/store/6gd9yardd6qk9dkgdbmh1vnac0vmkh7d-ripgrep-14.1.1/ --to /mnt/USB-drive/
and that will copy that store path aswell as any dependency (including transitive deps) to e.g. a USB drive.
You’d then do the inverse in the target environment to do the opposite:
nix copy /nix/store/6gd9yardd6qk9dkgdbmh1vnac0vmkh7d-ripgrep-14.1.1/ --from /mnt/USB-drive/
And then /nix/store/6gd9yardd6qk9dkgdbmh1vnac0vmkh7d-ripgrep-14.1.1/
aswell as its entire runtime dependency tree would exist in the air-gapped system.
Because Nix store paths are hermetic, that’s all you need to execute e.g. /nix/store/6gd9yardd6qk9dkgdbmh1vnac0vmkh7d-ripgrep-14.1.1/bin/rg
.
You’d obviously just adjust your $PATH
accordingly rather than typing all of that out and typically would install this into what Nix refers to as a profile so that you have one path to add to your $PATH
rather than one for each package.
I used a single package here but you could build an entire environment of many packages to your liking and it’d be the exact same as far as Nix is concerned; it’s all store paths.
You do need /nix/
to exist and be writeable in the target environment for this to work though.
Note that the clients being FOSS is of little relevance because all they do is forward a recording to a blackbox proprietary service run by a for-profit company.
The code that has access to your audio and does the actual task at hand is not FOSS in the slightest.