I noticed this the other day as well. I was trying to download GnuPG. GnuPG.org, including the download page and checksums, is served entirely over http.

Even if it is open source, am I expected to pore over thousands of lines of code to verify that it hasn't been compromised?