Re: Safety-critical updates?
Remember - this bill primarily deals with (a) liability of insurers, and (b) EV charging. Current draft is: https://publications.parliament.uk/pa/bills/cbill/2017-2019/0112/cbill_2017-20190112_en_2.htm#pt1-l1g4
Doesn't mean that it will illegal not to install a CarOS patch or root/install a custom firmware, but it might mean you're not insured.
Big thing is that this is enabling legislation, and is therefore intentionally broad, so that it works now and decades into the future - fundamental principles are in there to provide stability/certainty, and then it's up to insurers and courts to deal with the real-life scenarios.
So this will all come down to the insurers, who will in turn force the hand of manufacturers as per AC's comment above. Insurers will also have to come up with some good standard T&Cs, e.g. requiring patch installation within a "reasonable period" which they define e.g. no more than 7 days of public release by the vehicle manufacturer. Manufacturers will presumably have to push delivery of OTA patching on release, and force install within a given time period, e.g. at the end of the period preventing new journeys until the patch is installed. Manufacturers might also have to e.g. provide very clear and prominent notifications about CarOS patch status before commencement of a journey.
Rooted CarOS - probably wave goodbye to being insured, at least with any conventional insurer. Rooted entertainment system - might still be insured *if* it doesn't have any impact on vehicle safety, but read the fine-print on the insurance contract. Might encourage a truly hard (physical) divide between car-critical systems and entertainment, but that's going to require the manufacturers to go for safety over shiny things, convenience and cost, so odds of that happening?...
Biting the hand that feeds IT
