We use local Ubuntu repository mirrors, because our external traffic is not free. Whenever I apt-get install "program" it gets from that repository.
The question is... can the maintainers of the repository substitute any package on the repository with their own package?
Can I be hacked easily on any apt-get upgrade or apt-get install or apt-get dist-upgrade?
We get very basic packages from the local Ubuntu mirrors, such as "telnet" or any other.
No.
All packages and indexes (Packages.gz,Sources.gz,...) should be signed using a GPG key. Also apt uses md5sum to verify that it has downloaded a correct copy of the Packages index file.
If someone replaces or modifies a package, the package will no longer match GPG sign.
While there are plenty of mechanisms to secure a repo, including package signing and so on, they're only as secure as the maintainer makes them. A poorly managed third-party repo that gets hacked or is run by a malicious individual could indeed install hostile software.
Both Debian and Ubuntu APT repositories have multiple levels of checks made before a package is available for you to download. Initial uploads of packages by developers are GPG signed along with including multiple checksums on the individual files comprising the package upload that then have both the checksums and the GPG signature verified before being accepted. Then the repository itself has it's own GPG key that is used to sign the release files listing the available packages in the repository. The release files for the repository also include checksum data that the various APT-based install utilities then verify as well as the GPG signature on the release files itself.
So from upload by the developer maintaining the package to download and installation on your local machine there is a method to verify that nothing has been tampered with or altered.