You know, in this case, there'd be nothing wrong with making checksums available via https (to verify integrity) and leaving the bulk data available over http. Mind you, 95% of people would never verify the checksums, but at least in theory it keeps their bulk data distribution easy.
In theory if you got a good original OS download the package managers would be doing all this verification automatically.
Maybe that's acctually a good idea to consider as some sort of specification. Large file download via HTTP with some HTTPS checksum available via a single click.
