What are the reasons that grsecurity patches (or the security features it brings) are not included in the kernel by default. When looking at the benefits for security it seems the vanilla kernel is quite insecure as it is.
If this is a trade-off (some applications where you want to avoid the security measures), it seems that grsecurity could be an option to enable in the vanilla kernel.
With so many things in the mainstream vanilla kernel, I have a hard time understanding the reasons why the community does not want to include grsecurity.
Best Answer
(I'm a grsecurity developer.)
jsbillings's answer is based on an email post discussed in an LWN article.
The important context here is that neither grsecurity nor PaX developers were involved in that mailing list discussion. The PaX Team's comment to the LWN article clears this up. We've never submitted the patches for mainline inclusion. One simple reason is that we're the ones with the ideas and implementations, which upstreaming would not solve. Furthermore, we'd have to engage in tiresome mailing list arguments with a group of developers who are very much anti-security (see my 2012 H2HC presentation for more discussion of this). We have limited time and resources, so we choose to spend it in the most effective way possible: creating the security technology of tomorrow and making it available to everyone for free. As the PaX Team mentions in their comment, we have a particular encompassing view of security and also thus don't believe there's much merit in the splitting-off and upstreaming of individual features.