These URLs are widely and/or critically relied on for security purposes, onto which researchers should perhaps focus extra attention and monitoring.
Only recent or popular versions of e.g. downloads should generally be included, although more can be included when the download mechanism is particularly insecure. Keys and signatures are welcome, but SHASUM files should not be added (although a separate system might be useful to validate them).
HTTPS and otherwise “secure” downloads are still accepted, because servers can get hacked, etc. This monitoring just provides another layer of security.
Given the nature of a list like this, it may never be complete. Feel free to open pull requests on our GitHub page. Try to keep them somewhat organized :)
Apple Product Security PGP Key
Others:
JavaScript on CDNs