One older thread on this:
Hi,
please also be aware that our apt repos come signed with our GPG keys anyway, so realistically adding HTTPS on top of that does not provide much of a security benefit.
The reason we use it for the enterprise repos is that you need to authenticate yourself there to prove you have a valid subscription. HTTPS is used there to protect those credentials.
The basic argument of Proxmox developers is, that all their packages are signed with gpg anyhow thus https doesn't add additional security.
I'm not much of a security researcher so have no opinion on this. I still trust Proxmox developers enough, that it doesn't affect my usage of the repositories
And Proxmox isn't the only company/project who do this, best practices or not. Ubuntu for example do this the same, as seen in their documentation for their coming upstream release:
https://manpages.ubuntu.com/manpages/resolute/man5/sources.list.5.html
My guess is that https (due to being encrypted) brings some additional load on the deployment infrastructure so the non-enterprise repositories (aka the ones who don't generate income) of Proxmox have http while paying customers can have https if they think this improves security.
Now ubuntu shouldn't have budget constraints but I can imagine that even at their scale https versus http can make a big difference. So while it's possible to use https for ubuntu the default is still http to save on computing resources.
So I don't tend to look for old discussions, I just report the issue.
For bug reports bugzilla.proxmox.com should be used, for security reports the procedure is outlined at
https://pve.proxmox.com/wiki/Security_Reporting Basically they have a dedicated mail adress so a responsible disclosure process can be followed in case of a critical vulnerability in the code.
Regarding best practices: It's not always easy to find the right keywords, but imho it's still best practice to look up whether somebody reported something before.
