I could trojan you on a public wifi network. You wouldn't know any better because the package does no verification. Had we shared some information prior (like say the debian package manager) then you would be able to…
Had the packages been signed you could verify them (like deb packages).
The point is that something like debian will SIGN packages. You'll have some guarantee that the package you receive is what the maintainers expected. This is not safely possible using this method even if SSL is used.
I could trojan you on a public wifi network. You wouldn't know any better because the package does no verification. Had we shared some information prior (like say the debian package manager) then you would be able to…
Had the packages been signed you could verify them (like deb packages).
The point is that something like debian will SIGN packages. You'll have some guarantee that the package you receive is what the maintainers expected. This is not safely possible using this method even if SSL is used.