> i doubt using an other method would minimize a risk when the meteor.com would actually get owned.
GPG signing, keep the private key offline, publish the public key in the blockchain and have a lot of high profile technologists sign it so it can be independently verified.
But at the end it's about people ...your example with PHPUnit can be abused like this
https://thejh.net/misc/website-terminal-copy-paste
How many people do you think will bother to paste the script to a text editor and check for evil parts ?
GPG signing, keep the private key offline, publish the public key in the blockchain and have a lot of high profile technologists sign it so it can be independently verified.
See also: PHPUnit. https://phpunit.de/manual/current/en/installation.html#insta...
(They provide an example shell script for quickly downloading and verifying the latest versions of their install)