Changes

This is a proposal for a security model for Gecko. The key idea of this proposal is that security checks are performed immediately before doing a possibly-unsafe operation and that the subject principal for any actions is tracked throughout the codebase. Contrast this with the proposal at [[Security:Security_Checks_In_Glue]].