# Go with CGO_ENABLED=0 produces a fully static binary — no dynamic linking to libc or any .so files.
# rpmlint flags this because static binaries are unusual for C/C++ (they miss security updates to shared
#  libs). But for Go this is the standard and intended build mode — Go bundles its own runtime.
# Suppressing is correct.
addFilter("statically-linked-binary")

# RPM's brp-strip-debug uses the system strip tool, which doesn't understand Go's custom binary format
# well. Stripping Go binaries can actually break them (corrupt stack traces, panic output, etc.). Go has
#  its own way to reduce binary size (-ldflags "-s -w"), but even then strip won't recognize the binary
# as "stripped". Suppressing is the standard practice for Go packages.
addFilter("unstripped-binary-or-object")

# PIE (Position Independent Executable) is a security hardening measure that enables ASLR (Address Space
#  Layout Randomization). It's important for C/C++ binaries. Go binaries already implement their own
# memory layout and runtime, so PIE provides no meaningful security benefit and the compiler flag isn't
# applicable in the same way. Suppressing is standard for Go.
addFilter("position-independent-executable-suggested")
