You are right again. But I will complicate the installation.
The PHP files are secure, they are classes ore arrays.
if you execute them nothing happens. We have an .htaccess file in core applications folder. The .htacces file rejects all requests.
We would provide security tips also for nginx users.
Just to repeat all files except index.php are classes ore arrays
and and they don't execute any code.
Ghost is great. Wordpress is not.
Yes, currently our USP is parsing ghost themes. Ospari is faster than Wordpress and I would say even more secure than Wordpress. Not to mention the code quality ;-) and we have just released the first version.
You are right. The application does not belong to public folder. My goal is to make installation as easy as possible. Just copy the code and start to blog. Another reason is, that you can't easily run the application in subdirectory for example /blog/ if put the application code behind public folder.
Composer is a good Idea, but with first version we wanted to deliver one single package for the end users. We would use composer for the next releases.
Here is a quick screen short http://awesomescreenshot.com/04e2brbo81
We a basic and clean admin interface. Ospari uses Markdown. You have a live preview as you type and everything is auto saved.
I explained it in my last post. It is the ease of getting started. You can just copy Ospari on your server and start to blog. Installing Ghost is not easy.
Second it is also about alternatives. Why Ycombinator started HN, although reddit existed?
By our first post on HN some users criticized us that we call Ospari open source but no one can see our code or download Ospari. We worked hard and released the first version today.