https://bugs.winehq.org/show_bug.cgi?id=39859
--- Comment #6 from Sebastian Lackner sebastian@fds-team.de --- (In reply to Vincent Povirk from comment #5)
We could have Wine verify signatures, but instead we rely on a hardcoded hash. I'm not sure https is even used.
Checking a hash is even more secure than relying on signatures, so I do not see any real disadvantage here, no matter if HTTPS is used or not. However, of course its true that issues with the network connection could cause missing gecko/mono, so it might still be useful to provide packages.
I'm not really sure yet whats the best way to do this. It doesn't really belong into the Wine package itself, and we potentially need multiple versions for stable/devel/staging in the same repository. When only the version number is different, older packages might get purged after some time.