> The fact is allowing any type of unsigned update on HTTP is a security flaw in itself.

Reminds me about ten years or so ago when I was installing Debian or something and I noticed the URL for the apt install mirrors were http and not https. People helpfully pointed out this is a non issue because the updates are signed.

Ok I guess but then why did Debian switch to https?