Use https for source URLs
When updating/rebuilding from the spec file, we can be a little more
secure in downloading the sources via https.
It would be nice to check GPG signatures for the tarballs, but upstream
cgit does not provide such signatures (they sign the git tag, but that
doesn't help us here). We _could_ check the git tarball signature,
borrowing the code from the %prep section of the git spec file.