Gnu/Linux distributions also download updates via unencrypted HTTP mirrors around the world, but they are cryptographically verified by package manager. By default package manager won't install cryptographically unsigned packages. Adversary can sniff the traffic and see what packages somebody has updated, installed, though.