While it's ok for Meteor to keep doing what they're doing, it's hardly a "knee jerk security reaction" to criticize their installation instructions.

Story time. I'm at a hotel, connecting to the Web over Tor and using my distro's package manager (Pacman) to install software. I'm also routing Pacman over Tor because I trusted the hotel wifi even less than I trusted Tor. Anyway, Pacman has this wonderful feature of verifying md5sums - fingerprints of the original source code, as posted by the source code author - from source packages before installing any of the code onto your system. If the md5sums on the software you download don't match the author's posted true md5sums, something is probably wrong. You can tell where this story is going. As I'm installing a few packages, which I've done numerous times in the past, Pacman throws a warning: the md5sums don't match. Slightly annoyed, I then download the software directly from PyPi over the hotel's wifi connection, md5sum it and lo and behold, it's the correct md5. It's the exact same software version and everything.

Importantly, the source code must've somehow been modified between the time it was sent from the AUR/PyPi and when it ended up on my machine. Luckily, the md5sum check failed and the software didn't install, but it did scare me quite a bit.

If I had instead been installing Meteor, as per Meteor's current insecure directions, without checking md5sums or signatures, who knows what could've happened. The Meteor team should really consider releasing an md5sum, sha256sum, or better yet sign their packages, because otherwise there's no way to verify the contents of a download.

The Meteor team clearly has the resources to provide this to the inquisitive. It is SOP for all major FOSS. I get that there's something to be said about the ease of releasing packages from GitHub, but imagine if the Linux kernel did this? What Meteor has right now is ok for alpha software. They certainly have room to grow.