Several places on the gnupg web page recommend git clone commands using the git:// protocol to checkout source code:
(also the libgcrypt page has the title tag "index", which is probably not ideal)
The git:// protocol is insecure by design and contains no cryptographic integrity. It can trivially be intercepted by a man in the middle attack. This should be switched to https:// checkouts. It would probably wise to just disable the legacy git protocol on the git servers altogether.