[MINOR] Update Xerces source URL to use HTTPS

[pjfanning]

What does this PR do?

It is always a good idea to avoid non TLS endpoints in builds. There might be more instances like this in your repos and I would suggest that a PMC member has a look.

Type of Change

• Bug fix (non-breaking change)
• New feature (non-breaking change)
• Breaking change (fix or feature with breaking changes)
• Documentation update

Breaking Changes

Test Plan

• Unit tests added/updated
• Integration tests added/updated
• Passed make installcheck
• Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

• Followed contribution guide
• Added/updated documentation
• Reviewed code for security implications
• Requested review from cloudberry committers

Additional Context

CI Skip Instructions

---

[github-actions]

Hi, @pjfanning welcome!🎊 Thanks for taking the effort to make our project better! 🙌 Keep making such awesome contributions!

[tuhaihe]

LGTM. Thanks!

[leborchuk]

LGTM

I also checked - there are no other files with "archive.apache.org" address without https

[avamingli]

Thanks for the security-conscious intent.

However, this file (src/backend/gporca/concourse/xerces-c/build_xerces.py) is actually dead code — it's a leftover from
the old Concourse CI pipeline that was removed in commit 4dfbcb5 (Feb 2025). The entire src/backend/gporca/concourse/
directory is no longer referenced by any Makefile, CMakeLists, CI workflow, or build script.

The xerces-c library is now built inside Docker containers (see devops/deploy/docker/build/), which already use HTTPS and
a newer version (xerces-c 3.3.0 vs the 3.1.2 referenced here).

So the right fix here would be to remove the src/backend/gporca/concourse/ directory entirely rather than patching it.
Would you like to update this PR to do that instead, or shall we close this and handle it separately?