Nobody sane wants software to auto-update, especially not security-relevant software. This is in particular true if you reviewed the source code of the software at one point in time.
Furthermore, for the software to be able to even auto-update, it would have to be able to change its own binary. I don’t know how this particular piece of software works, but it is possible to run FUSE ‘drivers’ as a user on Linux, with the binary safely sitting in /usr/bin, hence removing any possibility to auto-update (if you don’t do shady tricks like placing an ‘updated’ binary somewhere and changing the user’s PATH – and even that could – in theory – be avoided by mounting all user-writeable things noexec).
> The package installs Wuala and registers our repository for further updates.
This is even more harmful that it sounds, as someone who has repo access (be it some evil staff member or, more possibly, inturder) may push not only malicious Wuala build, but any package with higher version number than in other repos (say, a linux-image-999.999 with a bundled rootkit) and if user was incautious it will be installed on system update.
That is not really auto-update (only if you enabled it system-wide) – and after reviewing the source code, which is necessary anyhow to make sure it is actually ‘secure’, you would then remove the file in /etc/apt/sources.list.d and be happy :-)
Furthermore, for the software to be able to even auto-update, it would have to be able to change its own binary. I don’t know how this particular piece of software works, but it is possible to run FUSE ‘drivers’ as a user on Linux, with the binary safely sitting in /usr/bin, hence removing any possibility to auto-update (if you don’t do shady tricks like placing an ‘updated’ binary somewhere and changing the user’s PATH – and even that could – in theory – be avoided by mounting all user-writeable things noexec).