"manual_test.py" using HTTP instead of HTTPS to download bootstrap.py with no verification resulting in a MiTM attack vector. The source could be spoofed with a malicious version supplied which is then run by python without a checksum or hash check.

Line 40: BOOTSTRAP = 'http://downloads.buildout.org/1/bootstrap.py'
Line 83: f.write(urllib.request.urlopen(BOOTSTRAP).read())
Line 85: _system_call('bin/python', 'bootstrap.py')

The bootstrap.py file is available via HTTPS.