At least for Lucene this is not a security issue, because we have checksums for all downloaded JAR dependencies:
[...] Projects like Lucene do checksum whitelists of
all their build dependencies, and you may wish to consider that as a
protection against threats beyond just MITM [...]
This patch fixes the URLs for most files referenced in *build.xml and *ivy*.xml to HTTPS. There are a few data files in benchmark which use HTTP only, but that's uncritical and I added a TODO. Some were broken already.
I removed the "uk.maven.org" workarounds for Maven, as this does not work with HTTPS. By keeping those inside, we break the whole chain of trust, as any non-working HTTPS would fallback to the insecure uk.maven.org Maven mirror.
As the great chinese firewall is changing all the time, we should just wait for somebody complaining.