Comment 2 for bug 1744318

I think we'll turn on https for now, and defer GPG to a later time. There are essentially two ways we could go for that:

(1) implement GPG verification in UpdateManager. gpg is hard to use, so I'd expect us to mess up somewhere. Also should have rollback and starving prevention (date/valid-until).

(2) generate an InRelease file for the meta-release files, and re-use APT for the fetching and validation. This means we get security features automagically.