1. Hysp allows making request to http-only sites, because hysp doesn't care where you host your binaries. As long as you have sha256sum/blake3sum of the binaries, and they match, hysp will work.
2. The default pkg source that ships with hysp, is hosted on github itself, where's there's no need to use http. HTTP is simply a fallback, and meant for maximum compatibility.
3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.
$BIN.TOML must contain either blake3sum or sha256sum of the binary specified as source.
And once hysp downloads them, it checks if they match exactly as specified in the $BIN.TOML
We prevent MITM or any other shenanigans by trusting whoever is hosting the pkg, isn't tampering both the binary and the checksums.
So yes, not completely foolproof (an attacker could, in theory, tamper both the binary and the checksum), but that's why we have the self-hosting option for people who want to trust only themselves and their servers.
The config allows you to specify different URL/Host for the TOML files and the actual binaries.
So unless, both the TOML files and source binaries are being hosted on an HTTP site, MITM is not possible.
And as already specified, the default source that ships with hysp, doesn't use HTTP anywhere.
To address your concerns:
1. Hysp allows making request to http-only sites, because hysp doesn't care where you host your binaries. As long as you have sha256sum/blake3sum of the binaries, and they match, hysp will work.
2. The default pkg source that ships with hysp, is hosted on github itself, where's there's no need to use http. HTTP is simply a fallback, and meant for maximum compatibility.
3. As installing random binaries from random sources is not advisable due to security concerns, the pkg-source can be self-hosted by anyone and hysp can be configured to use that instead of the default source.