Freeciv

On my system (Debian buster, GCC 8.3.0), I'm allowed to write something like

cat_snprintf(buf, bufsz, _("Fixed string"));

cat_snprintf(buf, bufsz, Q_("?qual:Fixed string"));

error: format not a string literal and no format arguments [-Werror=format-security]

I think this is because _() (i.e. the system gettext()) benefits from GCC attribute __format_arg__, but our homegrown Q_() and friends do not. So I think we should add that attribute to our skip_intl_qualifier_prefix().

About GCC version support: gettext's rune is defined in a cdefs.h on my system as follows:

/* At some point during the gcc 2.8 development the `format_arg' attribute
   for functions was introduced.  We don't want to use it unconditionally
   (although this would be possible) since it generates warnings.
   If several `format_arg' attributes are given for the same function, in
   gcc-3.0 and older, all but the last one are ignored.  In newer gccs,
   all designated arguments are considered.  */
#if __GNUC_PREREQ (2,8)
# define __attribute_format_arg__(x) __attribute__ ((__format_arg__ (x)))
#else
# define __attribute_format_arg__(x) /* Ignore */
#endif

Those versions are pretty old (GCC 3.0 was 2001). I haven't found documentation for a minimum version of GCC we support, but it looks like we use the __format__ attribute without checking GCC version? I don't know how old that attribute is.

For now I'm not going to try to conditionalise this on GCC version. (And I'm going to assume that any toolchain which defines __GNUC__ can cope with them, as we do for other attributes -- I haven't tried e.g. clang.)