It's much more likely artifacts are tampered with at the remote repository rather than during the transport phase.
MITMing the public wifi at some coffee store is much easier than breaking into the official Maven repositories. At least I hope so. That's why RPM and DPKG packages are signed.
Ok, but the impact of hacking the official repo, vs sitting at some coffee store hoping someone in the same coffee store builds a project using a particular lib you have code to modify on the fly while you mitm that exact repo pull?
He said much more likely the repo is tampered with. Easy to see why. This coffee shop scenario, they'd have to be targeting you personally and know your habits and your build and code they need to target you. In which case, https is far from your biggest concern.
Replace "coffee shop" by "software conference hall" and "specific lib" by "current log4j/junit/whatever very common library you want".
Suddenly it's a lot less targeted attack. Moreover, the "victims" should be of much higher profile than your regular student downloading an obscure library whose repo you managed to hack.
Not that I think it's a particularly important security concern. However, when you are dealing with security concerns, the fact that you can't make up a situation that sounds bad enough doesn't mean that nobody else can't.
Update: sorry for the wording of the last sentence (non-native speaker here). I'll be glad if someone can correct it, because I can't figure out how to construct it to sound well.
MITMing the public wifi at some coffee store is much easier than breaking into the official Maven repositories. At least I hope so. That's why RPM and DPKG packages are signed.