Better explain why installation through NPM is not suggested

[BYK]

This issue was brought up here: https://twitter.com/maybekatz/status/890320508813586433

We should do a better job of explaining why the preferred way of installing yarn is not via NPM or don't mention this at all if we don't have a good reason.

Right now I think the package signature verification aspect is important but I'd like to hear more to come up with a solid explanation.

[BYK]

Ping @bestander @arcanis @Daniel15 @kittens

[Daniel15]

What's wrong with the current text?

Note: Installation of Yarn via npm is generally not recommended. When installing Yarn with Node-based package managers, the package is not signed, and the only integrity check performed is a basic SHA1 hash, which is a security risk when installing system-wide apps.

The only inaccuracy I see here is that newer versions of npm use SHA512 rather than SHA1. We can probably just change the text to say "basic hash" rather than specifying an exact hashing algorithm.

[BYK]

May be we can add a sentence about why signing is important?

[mi-na-bot]

Is the bit about the sha1 checksum even still true? Brief research suggests that npm 5 and up actually includes an sha512 hash when publishing packages. https://npm.community/t/sha1-vs-sha512-integrity/3416

Is there some other reason not to install yarn with npm?