I've finally managed to get my patches for format security warnings approved for GCC. With current CVS GCC, you can now compile with -Wall -Wformat-security -Wmissing-format-attribute and detect problems such as the klogd hole of a few months ago; this will detect uses of the form printf (foo); where foo is variable and so might contain %. (For best effect, you may need to add format attributes to <sys/syslog.h> for syslog and vsyslog.) Previous changes I made in October mean it won't give spurious warnings for conditional expressions (where all leaves are constant) or if the format string is a const array.