That's true, so I guess the best thing would be an on/off enable for [Tesla] auto updates. I'll take the OTA when I am in the local area, when I am ready for it. I'm not sure if Tesla has this functionality, but if they do then OTA is certainly the way to go.
There are several independent subsystems in the Teslas. As an example, I can reboot my center 17" screen while driving down the highway on AutoPilot and the car continues on its merry way.Hopefully the software is downloaded to the vehicle, a checksum is performed on the download and, if it passes, the update is applied. Much like what is done with mobile devices.
Tesla OTA roll out in modest batches in a controlled and monitored way. Keep in mind these have to be compatible with early pre-AutoPilot 2012ish cars, AP1 cars (Mobileye front camera only), AP2 (multiple cameras, update radar, ultrsonic sensors, etc), and "AP2.5" cars with another generation of hardware (Tesla Model 3).
See this as an example of a "fleet" of like 2500 cars getting software: https://teslafi.com/firmware/ TeslaFI.COM is a 3rd party monitoring tool I use (minute by minute)
It DOES NOT automatically do the install.
It DOES download and verifies it was successful (integrity check) before it OFFERS you the option to install it.
It notifies you on your phone app and when you get in the car that it is available.
You have to select the install to happen by clicking an icon.
More technical details below from technical owner that has seen the process and logging for it.
Basically it works like this (for s/x, different for 3):
1. Download a patch file from Tesla when your car is scheduled
2. once download completes, apply the patch file to the offline partition (there are two firmware partitions: online and offline) (on both ic and cid)
3. perform integrity checking of the resultant image (obviously failure at any of the steps results in restart from 1)
4. ap2+ cars only, download the additional firmware for the ape if it's not already precached. (could be precached if you update to the same version)
5. display the install prompt
6. one install is started - check the version to ensure it's not a downgrade
7. Update ape
8. update gateway and various blocks connected to it (complicated process with many opportunities for failures)
9. tell ape and ic to switch online and offline partition markings around and reboot
10. switch online/offline on cid and reboot.
11. compare versions of ic and ape to what they should be - if different - display update failed even though cid runs new firmware.
12. display update is successful.