Wrong md5 accepted while downloading $FAI_CONFIG_SRC with http
Thomas Lange
lange at informatik.uni-koeln.de
Wed Sep 9 15:55:28 CEST 2015
>>>>> On Sun, 06 Sep 2015 20:56:08 +0200, Christian Meyer <c2h5oh at web.de> said:
> FAI can download $FAI_CONFIG_SRC via http for example from a website.
> To secure this *.tar.gz archive a .md5 file (containing the *.tar.gz's checksum)is neccessary.
> Without this .md5-file FAI aborts the installation. That's good and expected.
> BUT: If the .md5-file contains the wrong checksum (I manually changed it for testing purpuses)
> the installation is continued anyway - using the downloaded config.
I just removed the md5 check. The new version will be included in FAI 4.4.
I added the md5 check not because of security but more because of
detecting bad file tranfers. But http/tcp should do this for us.
--
regards Thomas
More information about the linux-fai
mailing list