It would be great if "-Wformat-security" could be included in "-Wall".
For more details, please see https://fedorahosted.org/fesco/ticket/1185 URL.
I certainly don't want to diverge from upstream meaning of -Wall, the set of warnings enabled by default resp. in -Wall resp. in -W shouldn't change through vendor adjustments, if some project using -Werror takes time to ensure it is error (warning promoted to errors) free for some GCC x.y version, if various vendor GCC versions would diverge that, it would be a nightmare for developers.
If you want -Wformat-security for Fedora, just set it in $RPM_OPT_FLAGS.
... is there a reason it can't be proposed as an upstream change?
It isn't a warning without small rate of false positives, I'd categorize it more as a coding style warning, so I personally don't think it is a good idea to include it in -Wall and thus perhaps am not the right person to champion such a change. Anyone who thinks there are sufficient arguments for that can surely propose it in http://gcc.gnu.org/bugzilla/, though there is less than a month before new features won't be accepted anymore for 4.9.
Note, -D_FORTIFY_SOURCE (not even =1) isn't on by default either, and the most dangerous thing that would result from user controlled strings being passed to *printf family of function is %n, which is blocked already by -D_FORTIFY_SOURCE=2.
If we don't include it in -Wall, could we at least argue for inclusion in -Wextra?
That is the same thing.