Prohibit http:// sources
$ git grep 'http:'
elements/core-deps/berkeleydb.bst: url: http://http.debian.net/debian/pool/main/d/db5.3/db5.3_5.3.28.orig.tar.xz
elements/core-deps/libatasmart.bst: url: http://0pointer.de/public/libatasmart-0.19.tar.xz
elements/core-deps/libdaemon.bst: url: http://0pointer.de/lennart/projects/libdaemon/libdaemon-0.14.tar.gz
elements/core-deps/libdvdread.bst: url: http://download.videolan.org/pub/videolan/libdvdread/6.0.0/libdvdread-6.0.0.tar.bz2
elements/core-deps/libndp.bst: url: http://libndp.org/files/libndp-1.6.tar.gz
elements/core-deps/mm-common.bst:# http://gcc.gnu.org/onlinedocs/libstdc++/latest-doxygen/libstdc++.tag
elements/core-deps/mtdev.bst: url: http://bitmath.org/code/mtdev/mtdev-1.1.5.tar.bz2
elements/core-deps/neon.bst: url: http://http.debian.net/debian/pool/main/n/neon27/neon27_0.30.2.orig.tar.gz
elements/core-deps/openldap.bst: url: http://openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.45.tgz
elements/core-deps/portaudio.bst: url: http://www.portaudio.com/archives/pa_stable_v190600_20161030.tgz
elements/sdk/libcanberra.bst: url: http://0pointer.de/lennart/projects/libcanberra/libcanberra-0.30.tar.xz
elements/world/anthy.bst: url: http://http.debian.net/debian/pool/main/a/anthy/anthy_0.3.orig.tar.gz
elements/world/kyotocabinet.bst: url: http://fallabs.com/kyotocabinet/pkg/kyotocabinet-1.2.76.tar.gz
elements/world/libbluray.bst: url: http://ftp.videolan.org/pub/videolan/libbluray/1.0.2/libbluray-1.0.2.tar.bz2
elements/world/libhangul.bst: url: http://kldp.net/hangul/release/3442-libhangul-0.1.0.tar.gz
elements/world/libimobiledevice.bst: url: http://www.libimobiledevice.org/downloads/libimobiledevice-1.2.0.tar.bz2
elements/world/libusbmuxd.bst: url: http://www.libimobiledevice.org/downloads/libusbmuxd-1.0.10.tar.bz2
elements/world/plist.bst: url: http://www.libimobiledevice.org/downloads/libplist-2.0.0.tar.bz2
All of this can be very easily replaced with a malicious tarball. For stable runtimes where we have project.refs, we would at least notice and get a build failure, but for the master runtime we have no way to notice a malicious change since we don't check source hashes. It's really not acceptable to use plain http:// even if we did check hashes, though.
We should have a project-level solution to ensure elements are not allowed to use http://. But I don't know what this would look like.