[BeefWellington]

    I think even now you can find Linux distros preferring to ship their data over HTTP with GPG-keys recommended for the security.

This isn't really to solve the same problem though. The GPG key thing is so you can use mirrors for hosting that are distributed but still trust the package came from the real source. TLS termination of where the packages are retrieved is separate.

[CHY872]

Yes, the gpg piece provides that functionality nicely. However, it’s exceedingly common for the mirrors to not be provided over TLS for cost reasons. Netflix switched to serving video over TLS for no other reason than to promote the usage of TLS (after a lot of custom engineering (pki on cpu, crypto on nic iirc?) to reduce the overheads of doing this.