Fetch software during TBB build process only over trusted HTTPS
Currently, we fetch software using wget and we do so with all certificate checking disabled. I believe we should have a mirror of all the source code that we expect people to download and we should offer it over HTTPS.
I've put up such a mirror here as a proof of concept: https://people.torproject.org/~ioerror/src/mirrors/
I'll attach some patches to help ensure that we allow wget to verify the HTTPS cert and to ensure that we use the secure mirror.
Later, we can find a location for a mirror that is more permanent as this improves the security of the build process tremendously. It also improves the reliability as some of the download sites are extremely slow or use protocols that are prone to censorship. :(
Thoughts?