Large organisations, and small, mine included, will generally host an internal mirror of packages. Download the entire archive once a day, serve out to all computers as necessary, making use of the higher bandwidth on the LAN.<p>As you mention, package checksums are signed using GPG to detect tampering. HTTPS adds very little benefit for such a scenario, and by sticking to plaintext, you can slightly increase the throughput since the server does not need to encrypt all the data it sends out. You also then need to coordinate SSL updates and manage server key security to machines that handle extremely high amounts of traffic continuously. Owing to the above, since many companies and volunteers around the world run mirrors and the Linux community is very open to running such mirrors, it's impossible to enforce SSL across the board.<p>Even if an attacker were to monitor the download and take note of the package installation, it would tell them very little. Provided the download is not tampered with, the chances are that it is a security update that will improve the system's security.<p>Many third-party APT sources do indeed use HTTPS (Microsoft, Docker and Yarn come to mind). Due to GPG package verification, this adds very little additional benefit, especially since the data being transferred is public anyway.<p>Edit: I would also add, some places do not run full mirrors but instead run caching proxy servers, which would not work with HTTPS (without doing some very messy and controversial interception). While this isn't totally what APT was designed for, it's generally the Linux philosophy to make updates and new software widely available as easily as possible.