Move info re: why not to use npm to install yarn into Windows / OS X / Linux bits

[mikemaccana]

It would be nice for the install page to clarify why npm should not be used.

https://yarnpkg.com/en/docs/install#alternatives-tab explains this perfectly:

Note: Installation of Yarn via npm is generally not recommended...

It's just in the wrong place in 'Alternatives'. These instructions are
presented as a peer for Windows, Mac and Linux. Users will only see them
they're not running Windows, Mac or Linux.

This info should be moved out so people who aren't running OpenBSD can see it!

[Daniel15]

I have a work-in-progress pull request to revamp the downloads page: #592. Maybe we can change something there

Do you think it's worth showing the "Installation of Yarn via npm is generally not recommended" section for every OS?

[Haroenv]

I think that should say

Installation of Yarn via npm or Yarn itself is generally not recommended

That way it doesn’t sound as FUD

[mikemaccana]

I think the 'Alternative OS' page does a good job of explaining why, avoiding it looking like FUD. Quoting it in full:

When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

[BYK]

The "signing" part needs to be expanded a bit since NPM registry has package signatures for checksum but this is not the signature we are mentioning. How about the following:

When installing Yarn from the npm registry, the package's author signature cannot be verified since this is not supported on the npm registry. The only signature check is an SHA checksum for file integrity. The tarballs are signed with PGP and when installed with the install script, this signature is automatically verified. We think author signature is critical enough for an application that downloads other executable code, and strongly recommend using this method or other author-signature verified methods.

PS: now I think I've almost fixed #589. 😁