Wasn't the latest Electrum update precisely because people were getting in-wallet messages from malicious nodes telling them to upgrade to a (fake) new version?
I think it's a great idea and one that should be done, if not already, but if users can't verify the authenticity of the message (and the comments on GH show even old users fell for that afore-mentioned trick!)... then it's just one more attack vector to my mind, or should we insist users always authenticate messages and builds?.
But yeah, there have been past critical upgrades that I wouldn't have known of if I didn't either visit this forum daily (I remember the past 2 or 3 Electrum vulnerabilities mentioned in the "News" line where the Latest Bitcoin Core release usually is) or check Electrum GH regularly.
Open-source software updates usually aren't some sort of notification initiated from the source. The software itself pings the repository for any new releases. So as long as you're 100% sure it's pinging the right link, a.k.a the software installed was downloaded from the original repo with no modification, there are very few attack vectors.
The latest electrum breach was NOT through messages initiated by the software. It was a feature already existing in Electrum, electrum nodes always had the ability to send messages to clients, just recently they're trying to push a version that
slightly changes that, not disabling it, but removing rich-text features, and maybe explaining that the message doesn't come from the software but from the node.
I don't think it's a bad idea to implement automatic version updates for all wallets, but it might not be an easy task. Maybe for UNIX based systems, it's super easy to add a repo source and apt-update every time there's something new, but for windows operating systems you'd need to code the whole thing and integrate it into the software.
