If a package fails to compile with CFLAGS="-Werror=format-security" please add a block to this tracker. Other distros (like Fedora/Debian) build with format-security, so you could find patch(es) in their repository. Major info at https://fedoraproject.org/wiki/Format-Security-FAQ See also: https://bugs.gentoo.org/show_bug.cgi?id=fortify-source#c8
I agree with https://bugs.gentoo.org/259417#c7 and prefer these bugs to be sorted upstream. There are quite a few false positives expected around the flag, like https://bugs.gentoo.org/714000