Drupal core installer messages

Here is a smaller list of messages that should be focused on first. These are from the core requirements API as defined in this patch.

Thanks! I've merged your improved help texts into the latest patch.

As per webchick's suggestion, I'm posting here my comment about safe_mode, made here.

Here we go...

Regarding the comment about safe_mode... while, it may make things easier to avoid conflicts with file uploads et al, there are security issues involved. Changing safe_mode may not be an option as it cannot be changed in .htaccess files.

Instead of saying "it is recommended..." I would say something like "safe_mode is enabled, consider switching it off if you have problems with file uploads, but keep in mind safe_mode on is more secure. You might want to contact your hosting provider.". Yeah, I know it is not very well written, but I hope you get the idea. :-)

I thought safe_mode was the devil? First, an anecdote. Back in July I went to the O'Reilly Open Source Convention and gave a talk on Gallery. While I was there, I wound up sitting at a table with Rasmus Lerdorf, the guy who founded PHP. He's a Gallery user so while we talked about various things, we eventually got around to talking about safe mode, since it's one of the biggest thorns in the side of applications like Gallery. About safe mode Rasmus says "the biggest problem with safe mode is that people use it." And he's right. Safe mode is fundamentally flawed because it's providing security at the application level, instead of at the operating system level. If you can run CGI scripts (which have no comparable safe mode) then you can do all the things that safe mode prevents you from doing. This is like ignoring the locked door (safe-mode PHP) and going in through the nearby open window (CGI). The only situation where safe mode actually provides any security is in the situation where your ISP also denies you any CGI access.

That's a common environment for many shared hosting providers, however...

Also, safe_mode off is a resource that has been used by PHP based exploits in the past. That is also something to consider... even if you can asure you're always 100% up to date, you're still open for 0 day exploits. Of course, safe_mode on is not the only thing to take into account, but safe_mode off is just a door that could be opened...

Hi, I asked a technical person who is a non-Drupal user to review the messages to see if they stood on their own. Here is the feedback on the messages.

Messages from system.install:

Errors:

Drupal requires PHP version %minimum_version or greater. You are
using PHP version %installed_version. PHP must be upgraded in order
to continue. Please contact your web server administrator.

Drupal requires Apache version %minimum_version or greater. You are
using Apache version %installed_version. Apache must be upgraded in
order to continue. Please contact your web server administrator.

Drupal requires MySQL version %minimum_version or greater. You are
using MySQL version %installed_version. MySQL must be upgraded in
order to continue. Please contact your web server administrator.

Drupal requires PostgreSQL version %minimum_version or greater. You
are using PostgreSQL version %installed_version. PostgreSQL must be
upgraded in order to continue. Please contact your web server
administrator.

TechnicalNonDrupalUser: These messages are are very clear and concise.

Warnings:

PHP safe_mode is currently enabled. It is recommended that you
disable safe_mode or Drupal may have problems, for example with
handling file uploads and images. This can be done by setting the
safe_mode variable in php.ini to "0". If you do not have access to
the php.ini file, please contact your web server administrator.

TechnicalNonDrupalUser: This is out of context for me. Should you explain how the user got in safe
mode (like Microsoft does)? If people are in CivicSpace, they may say
"hmm...what's Drupal?" I suggest rewording the second sentence to: It is
recommended that you disable safe_mode before continuing, otherwise you might
experience issues with things like file and image uploads.

PHP register_globals is currently enabled. As of Drupal 4.2.0 it is
advised that you disable register_globals, as it helps increase the
security of your site. This can be done by setting the
register_globals variable in php.ini to "0". If you do not have
access to the php.ini file, please contact your web server
administrator.

TechnicalNonDrupalUser: good

Your PHP installation limits Drupal to using only %current_value of
RAM. It is suggested that you modify the memory_limit directive to
allow at least %value of RAM. This can be done by setting the
memory_limit variable in php.ini to "%value". If you do not have
access to the php.ini file, please contact your web server
administrator.

TechnicalNonDrupalUser: good for an advanced user. I couldn't explain this to my mom, but she
wouldn't be doing this stuff in the first place.

Your settings.php file is currently writable by the web
server process. This is security risk, and it is advised that you
remove write permission from the file. On Unix-like systems, this can
be done with the command: chmod o-w %path/settings.php.

TechnicalNonDrupalUser: same comment as above

Apache's mod_rewrite is not enabled. You will need to enable
mod_rewrite if you wish to use Drupal's Clean URL functionality.
Please contact your web server administrator.

TechnicalNonDrupalUser: What's mod_rewrite for? Why would I use Clean URL? What is Clean URL? How
do I enable it? This is the most abstract message so far.

For improved Drupal performance and reduced bandwidth consumption you
can enable the PHP zlib extension. If enabled, Drupal will compress
cached pages and serve these pre-compressed pages to web browsers
that support gzip, which helps speed up their browsing experience.
Please contact your web server administrator.

TechnicalNonDrupalUser: again, the tips on how to do something are more useful
-----

Errors/warnings generated by the API:

Unexpected error: function "%function" does not exist.

TechnicalNonDrupalUser: As a techy, I understand this, but to the average user,
"what the heck
is a function?" If I knew what this was referring to, I could suggest some
other messages.

Unexpected error: unable to find file "%file", function "%function"
does not exist.

TechnicalNonDrupalUser: Same as above.

%type %file exists but should not. This can happen if, for
example, you have created a directory that has the same name as a
file that Drupal is expecting. Please remove the %type %file.

TechnicalNonDrupalUser: Huh? How about something along the lines of "reserved terms" or
"duplicates"?

%file exists but is not a %type. This can happen if, for
example, you have created a file that has the same name as a
directory that Drupal is expecting. Please remove the %type %file.

TechnicalNonDrupalUser: Same as above? Why is this a problem? It's not clear.

%type %file does not exist.

TechnicalNonDrupalUser: assuming this is based on querying something, this is fine.

%type %file is not readable. On Unix-like systems, this can
be fixed with the command: chmod o+r %path/%file.

TechnicalNonDrupalUser: This is more about permissions and I would say that -> "Read" permissions
are missing on %type %file. To enable read permissions on Unix-like
systems, ...

%type %file is not writable. On Unix-like systems, this can
be fixed with the command: chmod o+w %path/%file.

TechnicalNonDrupalUser: same as above

%type %file is not executable. On Unix-like systems, this
can be fixed with the command: chmod o+x %path/%file.

TechnicalNonDrupalUser: again, just say there are permissions issues -> This file does not have
enough permissions to execute. ...etc.

%type %file is readable but should not be. On Unix-like
systems, this can be fixed with the command:

chmod o-r %path/%
file

.

TechnicalNonDrupalUser: fine, it might be nice to say why it shouldn't be...

%type %file is writable but should not be. On Unix-like
systems, this can be fixed with the command:

chmod o-w %path/%
file

.

TechnicalNonDrupalUser: same as above

%type %file is executable but should not be. On Unix-like
systems, this can be fixed with the command:

chmod o-x %path/%
file

.

TechnicalNonDrupalUser: same as above

Automatically created directory %file.

TechnicalNonDrupalUser: out of context

Failed to automatically create directory %file, insufficient
privileges. Please manually create the %file directory.

TechnicalNonDrupalUser: too vague

Automatically fixed the permissions of file %file.

TechnicalNonDrupalUser: hopefully, I wanted this to happen. Again, too out of context for me to
comment.

Failed to automatically fix permissions of file %file,
insufficient privileges. Please manually fix these permissions, using
the commands outlined in previous messages.

TechnicalNonDrupalUser: Will the previous messages always be displayed? If the privileges are
insufficient, how can you do it manually?

No connection to MySQL database, unable to verify MySQL version.
Please try again, double-check your spelling and ensure that you do
not have caps lock enabled. If this problem persists, check with your
hosting provider to determine the correct username, password,
hostname, and database name for your MySQL server.

TechnicalNonDrupalUser: a couple grammatical errors. Usually, the connection has nothing
to do with
spelling. Authentication will though. If this is more of an
authenticaton error,
you should say that.

No connection to PostgreSQL database, unable to verify PostgreSQL
version. Please try again, double-check your spelling and ensure that
you do not have caps lock enabled. If this problem persists, check
with your hosting provider to determine the correct username,
password, hostname, and name for your PostgreSQL database.

TechnicalNonDrupalUser: same as above

TechnicalNonDrupalUser

Amazon: that feedback is invaluable! Great job.