OK, updated list:
1) Support older versions of ASL for longer. ( i.e. rules only - for 7 to 14 days ) (Comment from Mike: I think the solution on this one is to make it possible for people to run older versions. If you are running an older version, thats your business. Maybe we fork the rules if we need to put something out thats ASL version specific. Point taken.)
2) Option to update rules, but not ASL automatically. Another request was to make this the default behavior. (Comment: Done, we are adding this in as we speak and it will be in a future version of ASL soon)
3) Add in ability to roll back to older versions of rules (you can do this now, but the process is manual, so I'm assuming a GUI point/click method is what we are aiming at here, correct me if I am wrong)
4) On detection of "old/incompatible" asl version<->rules send an e-mail notification to admin informing them of the update instead of running it. (and extension of #1 and #2 above?) (Comment: a little more work... something we need to think about how to manage, forking will tie into this at some point, see #5 below)
5) Fork the rules when new versions require features in newer version of ASL. (Original request: When a new ASL version or component comes out, do not immediately release rules that only work with it. Wait 7 to 14 days before doing so. In the meantime continue to release rules that work with both old and new.) I think forking might make more sense. (Comment on this one: Not all rules will work with older version of mod_security, for example, so running older versions will mean that some features will not work, so keep that in mind: old = potentially vulnerable if we fork - nevertheless, yep, we will do this too).
6) Allow ASL to be configured to not only allow root logins but to not warn or send any alerts that the system is configured in this way. (Comment: This one makes me nervous, I dont want someone to disable an alert without some work... feedback appreciated on this one, I can see this potentially backfiring) Davids comment: rkhunter allow rootlogins yes to shut it up.
7) Allow ASL to be configured to hide specific vulnerabilities and to report the system as not vulnerable (for example, if you are running a vulnerable kernel allow the user to disable the alert and hide the vulnerability). (Comment: we're probably going to add in an option to configure the system to make it impossible for someone to ignore a vulnerability report, our compliance and government customers can't have a system that doesnt tell them the cold hard truth all the time, its mandated for them.)
add a weekly cron job that updates components, timed to happen when ASL support is officially open (i.e. not a weekend). Note: Delay ASL releases to only happen during the week, presumably on a Monday. (comment: done, we'll delay ASL releases to Mondays or something like that. We'll probably make the final available right away on the testing channels for those that prefer to use the final build when it comes out of Beta)
9) Delay release of new rules 7 to 14 days later that require new ASL features, start to release rules that require the new version. (Comment: Appreciate the sentiment on this, but I dont think its necessary. Forking makes more sense to me where, theres no need to delay new feature that closes a serious vulnerability, if users want to keep running older versions forking makes more sense rather than forcing everything to stay vulnerable for two weeks)
10) remove asl dependency on denyhosts hard version number. You should be able to run a OS denyhosts version. As long as it's there asl can configure it. Obviously if you plan a special denyhosts to do stuff, it should be an add on to denyhosts, or a new asl package like paxtest.
11) - php safe mode. If you set safe mode to off, and if you have php-5.3x do not generate a security warning. As you know safe mode is fully depreciated in 5.3x so producing a warning is just silly and pointess and only shows a vulnerability that does NOT exist.
12) - server type = custom in asl config. Please preserve this in updates. Why overwrite it it's been changed for a resason. In my case if I forget to edit asl config or I happen to update asl close to the hour cups and services I use get killed. I then have to put it all back.
13) - option to tweak reports. If I run x windows or non asl kernel, I should be able to supress the alert on it. Yes it may be a vulnerability, however if I set something in a config file I am aware of this. I think the GUI should aleert me to a real alert I am not aware of than having to way though alerts. Comment: I assume this to mean you should be alerted to *new* vulnerabilities? In other words, if you tell ASL to not care if you have a vulnerable stack kernel issue, but we add in a new check for heap vulnerabilities you want to be alerted to that, and then you can say "yes I dont care" and silence that one too?