He probably assumes that processes are usually short-lived or limited in their scope (that's the design principles he used in his software, anyway). That way "source creep" doesn't happen so quickly.
It reminds me of the taint principle (-T) as provided by Perl 5. The differences are that there the set of sources consists just of "secure" and "insecure", and processes themselves are not tainted. In a world of C programs, tainting processes themselves (as they become in contact with a potential "contagion") may actually make sense.
It reminds me of the taint principle (-T) as provided by Perl 5. The differences are that there the set of sources consists just of "secure" and "insecure", and processes themselves are not tainted. In a world of C programs, tainting processes themselves (as they become in contact with a potential "contagion") may actually make sense.