With the accessibility of these patches in the few distros that support them falling further and further behind-- they're becoming increasingly theoretical, and less interesting to hear commentary from.
Sadly, it isn't so-- the further from the vulgarities of production the patches are the less realistic the experience gained from working with them.
I can tell you how to make a perfectly secure computer, grind it down and launch it into the sun.
Part of the rest of the kernel communities complaints about many of these changes is that they aren't sufficiently pragmatic for widescale use or long term maintenance.
PaX is a patch-set, that's fine. People who care enough about low level security can apply it. The market for 'we care about security' is very large. Unfortunately, it still doesn't intersect with 'popular', and at that level one kernel team may be deploying to millions of machines. The mainline kernel (as well as other OS kernels) have drawn features explored through PaX and its predecessors slowly over time, and will likely continue to do so. Writing off PaX as increasingly irrelevant because you personally can't configure it with a button-click on your distro-of-choice simply reflects a profound ignorance of the longer term technical and social environment in which it is developed.
It shows that Gentoo provides an easy-install method (emerge =sys-kernel/hardened-sources-VERSION) for pre-PaX-patched kernel sources up to version 4.7.6. This was done 4 days ago. That version of the kernel apparently only came out 5 days ago. That's a 24 hour latency on a release: pretty current in my view. It's not marked 'stable' on any platform (that's what the green squares mean), but that just means it has had limited testing and in Gentoo is not a weird thing at all.
Masking in Gentoo is a way to say "we don't know for sure it's stable" not "don't use it". You are misinterpreting and the supposed evidence for your point is invalid.
(Edit in reply to below: That basically just means 'we dont want to babysit people can't compile a kernel or recover an unbootable machine'. It has nothing to do with the currency or utility of PaX or Gentoo. You obviously do not have experience in this area.)
"Beware though; using the testing branch might incur stability issues, imperfect package handling (for instance wrong/missing dependencies), too frequent updates (resulting in lots of building) or broken packages. Users that do not know how Gentoo works and how to solve problems, we recommend to stick with the stable and tested branch."
