A lint check in OBS gives this message:

W: missing-call-to-setgroups-before-setuid /usr/lib64/libfixposix.so.3.0.0
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

I'm working on packaging your project for fedora, and came across this issue, as well. It also looks like it has been promoted from an rpmlint warning to an error:

E: missing-call-to-setgroups-before-setuid /usr/lib64/libfixposix.so.3.2.0

Thank you, I will look into it.

cc0a170 removes the SETUID/SETGID options so this bug is no longer valid.