By default all of the repository URLs are http:// and have invalid certificates when switched to https://.
Why can't we use and enforce SSL?
How would we prvent man-in-the-middle attacks against these repositories?
Thats a good point. I'll be raising this as an issue.