It appears that most of the packages are registered with the unencrypted, unauthenticated git:// protocol rather than the HTTPS protocol that GitHub etc also supports.

This doesn't seem to be a very good idea. Plaintext Git can easily be tampered with, and essentially installing packages right now involves downloading arbitrary code from an untrustworthy network. There is no way to ensure that the code you download is actually the real code from the repo, and not malware from somebody who controls your WiFi etc.

A system like The Update Framework would be ideal, but the lowest-hanging fruit is probably to simply serve everything over Git over HTTPS, rather than plain Git.