Is there a reason this comment was modded down?

I didn't vote down, but why would open source downloads need to go over HTTPS? It's very expensive to encrypt such large files for each download. Furthermore, many of the advantages can be gained by checking the MD5.

And we supply md5, sha1, sha256 (overkill, yeah!) + signature of all packages.

VLC is probably illegal in some countries due to the patents applying to a lot of video and audio codecs. If Sourceforge downloads were over an encrypted connection, one could avoid monitoring.

That illegality applies to the developers of VLC, not to people downloading it.

SSH tunnel to a cloud server in Europe, then download over that.

Are checksums provided over HTTPS anywhere? If not, then this doesn't help with MITM attacks.