I vehemently disagree with the big G edicts here but to put forth an argument that automatic updates to a known user software tool is THE problem in an era where automatic updates have reduced the attack footprint for a variety of applications is... confusing.
As 'anti-choice' as it may appear (AND IS) automatic updates for net connected software is how we have improved the general base level of security for the net.
Unfortunately that has been completely dependent on providers of widely used software focusing on security and brand image over self serving interests. Nothing has ever prevented these companies from doing what could be considered the "wrong thing" over the right thing to date and, in general, blocking updates would be the wrong thing.
With that said (written).... A project like this with an (mostly) open code base should have a veto mechanism to push the developers towards a different solution when something like this comes up.
