[GF-Users] Postfix-tlspol 1.8.27

Peter peter at pajamian.dhs.org
Sun Mar 15 22:26:17 MST 2026 

On 14/03/2026 12:03, Michael Webb wrote:
> Hi Peter
> 
> When convenient, please could you build updated rpms for Postfix-tlspol?

Sure.

> Postfix-tlspol has been updated a few times but I have held off asking 
> until now as the previous updates were to fix issues that did not affect 
> EL8/9/10. The most recent will update Golang to v1.26.1 for security 
> fixes see https://github.com/Zuplu/postfix-tlspol/releases/tag/v1.8.27 
> <https://github.com/Zuplu/postfix-tlspol/releases/tag/v1.8.27>

The fixes referenced are to fix vulnerabilities in 1.26.0 which are also 
fixed in version 1.25.7 so it is not necessary to change the golang 
version that we are using, and tbh I would rather not because it adds 
additional builddeps that would need to be downloaded for the build and 
violates my policy of not requiring external dependencies.

> To force the build to use Golang 1.26.1 or later,  we need to ensure 
> that line 44 in the SPEC file is set to “export GOTOOLCHAIN=auto” and 
> related lines commented and uncommented as indicated, but I think we 
> started doing it this way a few versions ago already. (When I tried 
> “local” the build seemed to still be using go1.25.7.)

Just to expand on the above when checking CVEs I was able to find one 
listed vulnerability in 1.26.0 that is listed to also be fixed in 1.25.7 
as well as seven vulnerabilities for 1.25.5 that are all fixed by 
1.25.7.  I don't think setting this to auto is necessary for the build. 
It is currently set to local.

> No other changes are necessary, but FYI, I have also changed line 39 in 
> my SPEC file because I felt that to specify the folder name was more 
> intuitive and easier to troubleshoot if the build fails:
> 
> From: %setup a0
> 
> To:  %setup -q -n %{archivename}

-n %{archivename} (actually %{name}-%{version} which is the same thing) 
is pretty much the default for -n so it's not necessary to specify it. 
I'm happy to add -q and I honestly don't know what the a0 did, I think 
it's just ignored and is not valid syntax for %setup, so I'll make it:

%setup -q


Peter

More information about the users mailing list