Most recipe downloads use https -- but some use http! -- which should provide reasonable security for most scenarios.
But IMHO best practice would be to verify sha256 hashes "just in case". And always for for http downloads!

I'm not sure how to handle the case where the user specifies a different version yet.
Might be good to have a mapping of (historical) versions to shasums instead of only the sum for the latest version?

(This would replace the current -- seldomly used -- md5sum.)