The HTTP package sources of postmarketOS's "apk" might in some scenarios be insecure even with signed packages
Sorry if there is already a ticket for this, feel free to close if this is a duplicate!
I noticed apk is fetching the index via HTTP, and let me explain why that seems problematic to me even with signed packages:
Of ourse the package signing prevents the worst outcome, (which is that a person in the middle can force malicious code to be installed) but there is still the issue that on a public wifi/untrusted router, the index could be manipulated to list outdated or missing packages. This could quite mess with the system updates, by preventing them entirely, or make apk download lots of fake unsigned packages effectively breaking the search, even though none of those would lead to an install. While that wouldn't be the end of the world and not nearly as bad as malicious code execution, I still think it is undesirable that this wouldn't be all too hard to do.
Therefore, I suggest that the package sources should be migrated to signed HTTPS via some usual, basic effort signing like let's encrypt to fix this potential issue.