This is a fantastic step forwards for Binary Transparency, which I hope is followed by Linux distros and package managers, so all Free Software gets the benefit.
The one worry that comes to mind, though, is that once a binary transparency log check is made mandatory for any update to a piece of software, there is a risk that a bug in the log checking code makes it impossible to ever upgrade the software again. (This reminds me of the HPKP Suicide attack, but is not quite the same).
Obviously it should be possible, with Firefox at least, to manually download a new copy of the installer and install it from scratch, but I feel there should be a fall-back mechanism where, say, a release signed with a special offline key should be allowed to skip the transparency check (perhaps only if the transparency check has been failing on an offered upgrade for more than a month).
A bug is the log checking code is no worse than a bug in your signature verification code. But obviously, denial-of-update attacks on the log infrastructure should be mitigated in some way before this is mandatory.
An up-side to not having a fall-back mechanism is that you can't produce a secret update. No matter many 5$ a wrenches the NSA can afford (https://xkcd.com/538/).
The one worry that comes to mind, though, is that once a binary transparency log check is made mandatory for any update to a piece of software, there is a risk that a bug in the log checking code makes it impossible to ever upgrade the software again. (This reminds me of the HPKP Suicide attack, but is not quite the same).
Obviously it should be possible, with Firefox at least, to manually download a new copy of the installer and install it from scratch, but I feel there should be a fall-back mechanism where, say, a release signed with a special offline key should be allowed to skip the transparency check (perhaps only if the transparency check has been failing on an offered upgrade for more than a month).