The Linux firmware upgrade architecture is built into three components: presentation (gnome-software), mechanism (fwupd) and data-provider (LVFS) and each can be disabled or replaced if required.
The LVFS is a simple Flask web service using a MySQL database and the code is available for review at GitHub. This is also the place to file vendor feature requests and also where you can request existing vendors on the LVFS update specific models of hardware. You can run your own test instance by doing:
$ git clone https://github.com/hughsie/lvfs-website.git $ ./app.wsgi
$ git clone https://github.com/hughsie/fwupd.git
Various plugins are included to update devices, which includes native support for UEFI, DFU, Unifying, ThunderBolt and ColorHug.
In both the LVFS and fwupd, GPG crypto is being performed using GnuPG and PKCS#7 crypto is using GnuTLS. The fwupd daemon has no network access and only acts as the mechanism for clients using D-DBus and PolicyKit. Some devices also have additional hardware signature verification schemes implemented by the device manufacturer.
The LVFS and fwupd codebases have had several independent security audits. The LVFS has a huge number of tests run for each commit, and fwupd has a comprehensive test suite, and is regularly scanned using both clang and Coverity.