[logicallee]

if you're going to include "2a" you can refactor all of your steps into:

1. Google "meteor.com compromised" and decide whether it's currently compromised. If it isn't:

2. Run curl https://install.meteor.com|sh

It saves a few steps and is equally secure - you know, since you're just going to go based on what other people think and include no programmatic check whatsoever. (your 2a).

[sarciszewski2]

2a can be swapped out for a better PKI system at any time. Relying on whether it's public knowledge that Meteor is compromised or not is not nearly as resilient.

[logicallee]

so swap it out for a better PKI system. There is literally nothing in any of your steps that can't be automated, except for the totally nebulous 2a "publish in the blockchain, have lots of high profile technologists sign it" which 9/10 people are not qualified to judge.

There is no reason you couldn't automate your whole suggestion, except for that one, which makes it infeasible and open to all manner of social engineering.