List of references to external tools on update site are neither signed or hashed. This makes tools installer vulnerable to tampering. First content should be signed to prevent malicious third parties from modifying it and redirecting jenkins to download from unknown sources. Contents of urls should also be hashed to prevent malicious modifications at download source.