Debian Documentation invites People to use HTTP instead of HTTPS
The installation documentation for debian recommends (e.g. for Debian Jessie) a sources list entry like this:
deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main
As these packages can also be downloaded via HTTPS, the recommendation should use the secure protocol to reduce the amount of information visible to a potential eavesdropper.
At DebConf15, Jacob Applebaum recommended to TLS-enable all mirrors. To be aligned with that vision, the Tor project should not recommend non-TLS setups.
Trac:
Username: herzi