You're accessing both of those links over unsecured HTTP, which means that those could easily be MITMed as well.
If you were distributing packages over HTTP and distributing the verification signatures over a secure channel, I'd agree (this is similar to what Debian does[0]). But using one insecure channel to verify another doesn't provide you with any more security.
Furthermore, using SSL provides an additional layer of privacy - the path of the URL (everything after the domain) is hidden to eavesdroppers. They can tell which server you're accessing, but they can't tell which resources you're trying to access[1].
[0] Debian signs the packages (GPG, I believe), and the public keys for these signatures are distributed in the ISO that is used to install the base system. So the validity of the signatures is as trustworthy as the ISO used to install the entire OS (which is hopefully very trustworthy, or else there's a much bigger problem!).
[1] It's for this reason alone that I still wish Debian would distribute packages over SSL even though the GPG signatures provide more security in the authenticity of the packages than SSL would provide.
Just remember that the CA certs (that anchor ssl trust) is usually also distributed in a similar way (on the install media). The difference is that you can more easily independently review the trust of any given pgp key (you've personally verified the key, or have personally verified the key(s) of someone that have personally verified the key).
I suppose in theory one could take a snapshot of CA keys, sign them with pgp and use that a s "know set" (note: not known good, as there is no way to be able to fully trust all the certs typically supplied as CA roots -- a subset could probably be verified). But that's not how the CA system is designed.
If you were distributing packages over HTTP and distributing the verification signatures over a secure channel, I'd agree (this is similar to what Debian does[0]). But using one insecure channel to verify another doesn't provide you with any more security.
Furthermore, using SSL provides an additional layer of privacy - the path of the URL (everything after the domain) is hidden to eavesdroppers. They can tell which server you're accessing, but they can't tell which resources you're trying to access[1].
[0] Debian signs the packages (GPG, I believe), and the public keys for these signatures are distributed in the ISO that is used to install the base system. So the validity of the signatures is as trustworthy as the ISO used to install the entire OS (which is hopefully very trustworthy, or else there's a much bigger problem!).
[1] It's for this reason alone that I still wish Debian would distribute packages over SSL even though the GPG signatures provide more security in the authenticity of the packages than SSL would provide.