That is not enough at all and there are other attacks! I can't belive in 2020 some people still need to be explained why not enforcing https is a terrible thing!
For instance, will a lockfile prevent someone from eavesdropping on the download of a modules through http? If so, please kindly tell me how!
Well, diasabling http by default is basically "Internet 101" here.
I don't want to write an full lecture on how many attacks are possible when people don't use https. It has been commmon knowledge for way more than a decade
For instance, will a lockfile prevent someone from eavesdropping on the download of a modules through http? If so, please kindly tell me how!