Hello there, specially Thomas, I'm not shure if it's a bug but I thought I better report it. I'm using FAI 4.3.3 from Debian stable.
FAI can download $FAI_CONFIG_SRC via http for example from a website. To secure this *.tar.gz archive a .md5 file (containing the *.tar.gz's checksum)is neccessary. Without this .md5-file FAI aborts the installation. That's good and expected. BUT: If the .md5-file contains the wrong checksum (I manually changed it for testing purpuses) the installation is continued anyway - using the downloaded config. IMO this is not acceptable. Please skip verification at all or make sure only archives with valid hash are processed. BTW: md5 isn't that secure these days. ... Christian Meyer
