If users doesn't remove install directory form the
server after installation, the current install wizard
has some problems on security. Because attackers can
get informations of mainfile.php thorugh initial values
that the wizard shows.
And...
A bystander can steal security informations which are
SALT, salt from the confirm page by looking at the screen.
I was testing the last cvs snapshot but it doesn't work at all.
1. The install wizard still a long way (14 steps)
2. When the install process is finish, the system is blocked
until user delete folder 'install'
security=ok!
usability=no!
3. After manully delete folder 'install', i try to install a
module but it results in a 'blank page'.
It'a a cvs snapshot, right, but i'm pointing out these
issues with end-user experience in mind.
And try to translate the end-user experience into an
equation (forum thread)
gigamaster 
If users doesn't remove install directory form the
server after installation, the current install wizard
has some problems on security. Because attackers can
get informations of mainfile.php thorugh initial values
that the wizard shows.
And...
A bystander can steal security informations which are
SALT, salt from the confirm page by looking at the screen.
[JA]
okuhikiさんによって提案されました。
もしユーザーがインストール終了後にインストールディレク
トリを取り除かなかった場合、現在のインストールウィザー
ドはセキュリティ上にいくらかの問題を持っています。なぜ
なら、攻撃者はウィザードが表示する初期値を通じて
mainfile.php から情報を得ることができるためです。
また...
傍観する第三者は画面を(背後から)直接盗み見することに
よって、SALTなどの保安情報を確認画面から取得することが
可能です。