> - zero out on unlink() so that the data is no longer on the disk
> (Everybody seems to have expressed preference for this solution but I
> think this requires changing all the affected filesystems)
actually, i don't like this idea at all. it requires additional
writes and it makes crash handling much harder later. eg, fsdb
will have much less useful data to work from.
i really don't think it is worth making hard times harder.