I couldn't find much info on the security of Ubuntu (and Linux in general) update verification/security.
The connection appears to be plain ftp. but the packages are signed using a private key and the corresponding public key is stored in the system as a trusted key.
So what are the details? Is the package itself signed or just the hash? Is it an RSA 4096 bit key? What are the chances of a malicious entity being able to mess with the updates and who owns the private key?