> The issue is that someone doing a man in the middle attack over http > could serve an old version of the mirrors and have properly signed > versions of everything with known vulnerabilities. Exactly, this is the main (and valid!) concern for serving things over plain http. Thus should be addressed. But as we learned through that thread, none of that actually attributes to the other claims initially made, since they all have been debunked to be wrong. ~pete