Hi, I honestly don't see how it would be feasible to maintain a feature that the developers maintaining it have access to.
I get that this whole pax-thing embodies a huge part of Gentoo history and it may feel hard for some to let it go. But things are how they are. Regarding the fork states: I followed up on minipli's fork, which tried to maintain newer patches of grsec for LTS kernels, but that essentially stopped after KPTI/meltdown/retpoline. From what I know there's no public grsec patch with kpti or any spectre fixes, thus I would very much say you're safer these days with an upstream kernel. I think the only realistic way this support can be upheld would be if some people who have access to the grsec sources commit to making sure that it is maintained. There's also another question related to this: What's the future for Gentoo hardened? From what I can tell hardened consists of: * the things that try to make it compatible with grsec/pax (more or less obsolete). * things that are now in default profiles anyway (aslr, stack protector). * things that probably should be in default profiles (relro, now linker flags) * -fstack-check, which should eventually be replaced with -fstack-clash-protection (only available in future gcc's) and that should probably also go into default profiles. * Furthermore hardened disables some useful features due to their incompatibility with pax (e.g. sanitizers). So it's stuff that either is obsolete or probably should be a candidate for main profiles. Maybe we should strive for "hardened-by-default". -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42