> Agreed. And I would like to go further -- in some contexts there are
> requirements that after a program has touched a certain class of file
> it is henceforth not allowed to write into another class of file.
> I.e. the program isn't going to be allowed to reclassify sensitive
> data from one level to another.
Makes sense. I don't think it would be hard to implement in the current
Safe-Tcl, either -- the extension environment is pretty much arbitrarily
powerful, so policies like this can be implemented by the extension
writer. The trickiest part would be if there were multiple
independently-developed extensions, in which case they might need a
shared mechanism for making note of what kinds of capabilities had been
previously used. But one extension writer can do all this easily enough
for a set of related capabilities. Is that good enough, do you think,
or do we need a standardized interface by which multiple
*independently-implemented* extensions can inform each other about
whether or not they've been used? -- Nathaniel