Still, if private key is compromised you can inject evil updates. And it might be the case for teams that lacks necessary security policies, e.g. private key is on same server as download server or is accessible from one.
Maybe requiring signing by several developers (so that if one key is compromised it's still not a threat)? But that might be a little paranoid.
Signing by several developers is a good idea. Also, the scheme might still fall to man-in-the-middle attack. One possible solution could be to have multiple update servers with the policy that, download update from one and signatures from the other, subsequently verifying the integrity.
The man-in-the-middle attack is not such a big problem in defending against a short-lived attack. Ubuntu establishes the identity with the keys that you get at installation.
Maybe requiring signing by several developers (so that if one key is compromised it's still not a threat)? But that might be a little paranoid.