5 Jan
2015
5 Jan
'15
10:19 a.m.
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Well, I mean when no signatures are available. It's not really that common for upstream to sign the packages :(. HTTPS is pretty common though, especially considering all of the projects hosted on sites like github.