update livelog command with --key option, required for v4.12+ firmware#65
update livelog command with --key option, required for v4.12+ firmware#65chrismerck wants to merge 3 commits intotrunkfrom
Conversation
|
with encryption: 
when key not provided and fw is newer:
still supporting older fw without --key: 
|
Drop EOL Python 3.7/3.8 (removed from ubuntu-latest runners), add 3.10–3.12. Bump actions/checkout to v4 and actions/setup-python to v5. Fix missing blank line (E302) in livelog.py. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
chrismerck
force-pushed
the
merck/livelog-encryption
branch
from
b7cb24e to
d23527f
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
CodeQL: AES-ECB mode alert (accepted risk)The CodeQL check flags Why ECB is used: The firmware ( The vulnerability: ECB encrypts each 16-byte block independently and deterministically. Identical plaintext blocks produce identical ciphertext, leaking repetition patterns to an observer (the "ECB penguin" problem). Why it's acceptable here:
CBC would be strictly better at negligible cost (+16 bytes IV per packet, ~0 CPU difference on ESP32 hardware AES), but that requires a coordinated firmware change and is out of scope for this PR. — Claude |
User prompt: "livelog --key, if not provided, use random value" When --key is omitted, generate a random 16-character alphanumeric key instead of passing None. This ensures encryption is always active in listen mode, which is required for v4.13+ firmware. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2 participants
Recent betas, and v4.12+ require livelog to be encrypted, so that it may be sent over the public internet. This implements the support for encrypted livelog in bond-cli.