Comment 1 for bug 1255120

Given bugs like CVE-2016-1252 https://www.debian.org/security/2016/dsa-3733, I think it is now quite clear that apt package archives should always use HTTPS. Right now, all of the Ubuntu repo sections are available via HTTPS:

* https://spout.ussg.indiana.edu/linux/ubuntu
* https://mirrors.kernel.org/ubuntu
* https://mirror.cse.unsw.edu.au/pub/ubuntu-releases/