Why do major operating system installs default to HTTP instead of HTTPS

Question

I've noticed this lately and never really paid attention before, but fresh installs of Debian use ftp or http for the package repos, and when doing a full reinstall of macOS, the initial recovery image, and then the full install image, are both pulled from a http endpoint.Wouldn't these things be the most crucial endpoints to secure with SSL? Why are they not done so by default? I know you can tell Debian to use https, and I'm sure apple has certs on those os image servers, but of all things to leave open to easily being MITM'd, it should not be the install image on your device. That makes everything after that completely untrustworthy imo. If I was served a rooted mac recovery image, I'm fucked from the get go, and it is weird that https isn't required. I know root trust on a bare install is probably a pain in the ass, but it's apple, they can and should do something here. Supply chain security starts with the base OS.

compressedgas · Accepted Answer

Debian does not need HTTPS as it assures the authenticity of packages through package signatures.However for privacy, it would be better to use HTTPS as then only you and your chosen package server will know what packages you have chosen to install.

charleslmunger · Answer

All the packages are signed. But one practical reason might be that a computer doing a fresh install may not have an accurate system time, which TLS depends on.