Not exactly the same, but: https://whydoesaptnotusehttps.com/

tldr: if you verify the download against a trusted PGP key, it doesn't matter where the download actually came from.

Which is, IMHO, a ridiculously short-sighted approach that ignores the difference between theory and practice.

If there is a vuln in (or before) the GPG signature check, using HTTPS has a good chance of making it a lot harder to exploit (because the attacker will likely need to get into a trusted position instead of MitMing any HTTP connection).

It does matter if you're behind a dumb corporate firewall that doesn't care what you're requesting, unless it's not going through HTTPS.

Why yes, this is dumb. Why yes, I can't do anything about it. This is why having an https path matters.

Thanks!