Do not download dependencies from insecure sources

[DemiMarie]

Currently, Julia downloads dependencies from insecure connections in many cases (http:// or git://). This allows for a man-in-the-middle attack, resulting in total compromise of the developer's system.

The only solution is to ensure that all downloads are fetched via secure https:// connections (with strict TLS certificate checking) and (ideally) have SHA512 hashes as well.

[JeffBezanson]

I believe we do have and check SHA512 hashes for all dependencies.

[StefanKarpinski]

Since we do SHA512 hash checks, I don't think the transport matters.

[Keno]

Correct, all dependencies are checked for integrity via SHA512 hashes: https://github.com/JuliaLang/julia/tree/master/deps/checksums. The transport should not need to be encrypted.

[tkelman]

we could change any of the urls to https if that doesn't break anything, I doubt anyone would notice a difference. would have to remove the insecure/-k flag from deps/tools/jldownload too though.

[DemiMarie]

objconv is not checked. Switching to an HTTPS URL fails with a certificate error.

[Keno]

Good catch! @vtjnash points out that objconv is the only dependency that's not versioned, so upstream changes frequently without warning. We probably need to rehost that particular download.

[ViralBShah]

Even though 99% of those building Julia probably receive their libraries from Yggdrasil, this should be easy enough to fix this and close.

➜  deps git:(master) grep http\: *
blas.mk:	$(JLDOWNLOAD) $@ http://www.netlib.org/lapack/$(notdir $@)
grep: checksums: Is a directory
dsfmt.mk:	$(JLDOWNLOAD) $@ http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/dSFMT-src-$(DSFMT_VER).tar.gz
mpfr.mk:	$(JLDOWNLOAD) $@ http://www.mpfr.org/mpfr-$(MPFR_VER)/$(notdir $@)
objconv.mk:	$(JLDOWNLOAD) $@ http://www.agner.org/optimize/objconv.zip

[ViralBShah]

dsfmt and lapack should be picked up from github. I'll check the others as well.