Are source updating mechanisms vulnerable to MITM attacks?

[QIU Quan]

It seems CVSup uses clear text, with neither server authentication as
SSH nor message authentication as PGP.

Is it possible to poison the DNS records and fire a man-in-the-middle
attack against the source updating procedure?

It seems portsnap uses a public key to verify downloads.

Are there some source updating mechanisms with authentication or verification?

Thanks.

-- 
裘佺 (QIU Quan) <jackqq at gmail.com>