Linux packages mirrors

A good package manager will check for cryptographic signatures corresponding to downloaded packages, so that should keep you safe; even if someone intercepted and replaced the HTTP packets, as long as the official signatures themselves are fetched securely. It’d still be ideal to have the connections be over TLS, but it’s not strictly necessary for this use case. (It still doesn’t keep private which packages you’re installing, for example)