Ted Zlatanov wrote:
> the best way is to either use gnutls_memset() (available since only
> 3.4.0 in lib/safe-memfuncs.c) or to copy it.

These days glibc's explicit_bzero is a better way to go, as its implementation 
should be more reliable than the 'volatile' trick used by gnutls_memset. So I 
installed the attached patches into master: they either use explicit_bzero, or 
copy it.

I'll file a bug report with the GnuTLS folks to suggest that they use 
explicit_bzero if available.