Some source packages have Vcs-Git URLs using the git: scheme, which is plain-text and unauthenticated. It's probably harder to MITM than HTTP, but still we can do better than this even for anonymous checkouts. git is now nearly as efficient at cloning/pulling over HTTP-S, so why not make that the default?

Adding the following lines to ~/.gitconfig will make git consistently use HTTP-S to access Alioth. It's not quite HTTPS-Everywhere, but it's a step in that direction: 

[url "https://anonscm.debian.org/git/"]
	insteadOf = git://anonscm.debian.org/
	insteadOf = git://git.debian.org/

Additionally you can automatically fix up the push URL in case you have or are later given commit access to the repository on Alioth: 

[url "git+ssh://git.debian.org/git/"]
	pushInsteadOf = git://anonscm.debian.org/
	pushInsteadOf = git://git.debian.org/

Similar for git.kernel.org: 

[url "https://git.kernel.org/pub/scm/"]
	insteadOf = git://git.kernel.org/pub/scm/
[url "git+ssh://ra.kernel.org/pub/scm/"]
	pushInsteadOf = git://git.kernel.org/pub/scm/

RTFM for more information on these configuration variables.