FTP SITE CHANGE
changing the way the FTP site works
Essentially as the .md file in the FTP directory is from the same FTP site, it doesn't mean or validate anything (e.g. cannot be relied upon to validate the trustworthiness of the file). Reason being if the site is spoofed (e.g. via DNS) then we cannot validate the identity of the remote server, given it is clear-text FTP (no mechanism to validate the site's identity, such as via SSL/TLS). Further, if the site has been compromised, an attacker merely has to place the MD5 hash there for the malicious ISO file they replaced.
Finally, MD5 has known collisions, and is a deprecated protocol – should not be used as a hash function if there's an expectation of security.
What would have been the right way (if FTP is still to be used as a protocol), would be to place a PGP signed file containing the SHA1 (or even better SHA256 or higher) hashes in the directory. This would allow users to validate the download properly.