Hello, it looks like building LibreOffice without Git might download submodules over unencrypted HTTP without checking authenticity or integrity. The relevant code is here: https://github.com/LibreOffice/core/blob/648c70ac2caf2646ee8ff49bd8d846016d289b38/Makefile.in#L263
It would probably be good to at least replace the `http://` of the URL with `https://`, but if possible it might also be good to introduce authenticity / integrity validation since the files are downloaded from mirrors (if I see that correctly). Even though I assume you only chose trustworthy mirror sites, each mirror site increases the attack surface nonetheless so an authenticity check would be useful. I am not planning to submit a pull request since I am not familiar with the build setup of LibreOffice. Hopefully that is fine for you. Kind regards
