Sorry about that :/ It adds /etc/apt/sources.list.d/fman.list so you can update fman with apt. Isn't non-https unsafe?

No, because the packages are already signed with gpg. That way you can verify the checksum already.

Interesting (sorry, I'm new to Linux packaging). So would it be safe then to replace by http? (Not that I'd take this at face value, but I am interested in your opinion)

Here's some more information that sums that up quite nicely, most default mirrors are http so I'd say it's safe enough.

http://unix.stackexchange.com/questions/90227/why-there-is-n...

Thanks!

While we're at it, you absolutely need to remove that cronjob. No package should run their own update. That's the domain of the systems package manager.

I've removed it: https://fman.io/blog/an-apology-to-linux-users/