deprecate or warn about downloads over unencrypted HTTP

[benaryorg]

Describe the problem you are trying to solve

In light of recent developments in the Java ecosystem I think Rust should follow that and also mark "http" sources as deprecated or warn about them in some way.

Describe the solution you'd like

Correct me if I'm wrong here, but pulling sources from http:// instead of directly from crates.io, likely via git does require putting it in its own Toml section either way, right? One could then require a switch similar to allow-unencrypted-http = true. In a first step just outputting a warning/deprecation notice if this is not set but the source is http:// should be fine, and after some time one could then switch to this aborting the build.

Notes

This would in the second stage break builds, with the fix being a configuration option.

[alexandre-janniaux]

Hi,

In case this issue land into the git tree, it is probably a good idea to keep http download when we can provide a signature hash to verify the integrity of the file after download, because https is expensive and the issue is the absence of integrity check somewhere, and https is a mitigation that is not perfect with regard to that.

[eslerm]

An opt-in https mode would resolve this and not break environments which require insecure connections.

A warn would encourage better practices.

[weihanglo]

This sounds good to me. Once Cargo gets https://github.com/rust-lang/cargo/issues/12115 landed and has its own lint control system, we could start rolling out this kind of warning.