[Mediawiki-l] Installation: security lockdown after HEAD installation

[Derek A. Rogillio]

Hello all,

I've been running the stable branches for quite a while, but wanted to 
branch out into the HEAD release to try some of the new features in a 
sandbox.

For background, I'm running Debian testing (Sarge).

I downloaded the latest software from CVS into the phase3 directory.  I 
tried to do a command-line install using install.php but this does not 
appear to be working.  Reading the script, some of the necessary 
directories are not referenced or copied in install.php.  I know the 
install.php installation is not working in the stable branches.  Is this 
true with the HEAD branch as well?

I decided to try the in-place install.  I copied the entire phase3 
directory to a place accessible by my web server and renamed it to 
something more appropriate (testwiki).  I ran the in-place install and 
everything worked perfectly.

One downside with this approach is that I now have a bunch of files 
accessible to my web server that I am sure don't need to be there. 
Since a lot of this is new, I'm not sure what I can remove now that the 
Wiki is running, nor do I know what might be a security risk.  Has 
anyone done a writeup on cleaning up/securing an installation of the 
HEAD branch?  I wasn't able to find anything via Google.

The other downside is that I expect HEAD to be updated quite often. 
Since install.php and upgrade.php expect files to be in different 
locations than the in-place install, how do you update the installation 
to the latest version from CVS?

Thanks in advance for any help you can provide.  As a side note, I am 
really impressed with some of the new features and especially the mono 
style.

-Derek