Ingela/ssl/backwards inet compat/otp 20018 by IngelaAndin · Pull Request #10809 · erlang/otp

IngelaAndin · 2026-03-06T09:44:25Z

Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.

github-actions · 2026-03-06T09:45:08Z

CT Test Results

2 files 66 suites 25m 35s ⏱️
818 tests 772 ✅ 46 💤 0 ❌
4 267 runs 3 310 ✅ 957 💤 0 ❌

Results for commit 108e8d0.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

u3s

build fails due to doc failure.

lib/ssl/src/ssl.erl

u3s · 2026-03-06T10:07:31Z

lib/ssl/src/tls_sender.erl

+            %% This does not mean that we support TCP options for TLS
+            %% only that we provide time for better solutions to emerge
+            %% for solutions that happened to work.


I don't understand this sentence. Consider re-phrasing.

u3s · 2026-03-06T10:28:46Z

lib/ssl/src/tls_sender.erl

        ok ->
            send_reply(From, ok),
            {ok, StateData0};
+        {error, timeout} = Error ->


isn't it contradictory - that we dis-recommend using it, but then we have special code for handling as special error.

it is like docs say: "we don't support it, avoid using if possible",
code says: "we handle this one particular error, related to specific transport, and specific TCP option for that on transport" ...

do we need to handle it?

Because we want to create time for users to adopt. This was broken in OTP-28 intentionally as it is impossible to handle the documented {error,timeout, RestData} as ssl:send is not just a byte suffler. However the inet-driver always buffers all sent data and makes sure it sent later and will only return {error, timeout} which hence happened to work before OTP-28. Now this is of course is not something that users should rely on, but this came down more to common sense and understanding of how network protocols work, rather than documentation.

Is the future plan anyhow known already and could be drafted in code comment?
... better solutions to emerge for solutions that happened to work. is a bit fuzzy and hard to decode what it means.

Well we do not exactly know as the problem description is not exactly stated from those that complained. But it could be a redesign of their code only or perhaps we will have an asynchronous send operation in the future on TLS level that they could use, but it is unclear if that is what the want or not, but something we might consider independent of that, but this is long term plan.

u3s · 2026-03-06T10:31:59Z

lib/ssl/src/ssl.erl

+-doc """Sets options according to `Options` for socket `SslSocket`.
+
+> #### Note {: .info }
+Note that setting low level transport protocol specific options


is this something we could also communicate with a startup logger event?
or not a good idea?

No, this would not only be annoying, it is hard to compile a complete list of such options which is one of the reasons why we do not really try to reject the options. Also we can not pretend to understand all possible uses case the some user might have.

Buy time for people that might have relied on this behavior for better solutions to be crated.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [erlang](https://github.com/erlang/otp) | minor | `28.3.3` → `28.4.1` | --- ### Release Notes <details> <summary>erlang/otp (erlang)</summary> ### [`v28.4.1`](https://github.com/erlang/otp/releases/tag/OTP-28.4.1): OTP 28.4.1 [Compare Source](https://github.com/erlang/otp/compare/OTP-28.4...OTP-28.4.1) ``` Patch Package: OTP 28.4.1 Git Tag: OTP-28.4.1 Date: 2026-03-12 Trouble Report Id: OTP-20007, OTP-20009, OTP-20011, OTP-20012, OTP-20014, OTP-20018, OTP-20022 Seq num: CVE-2026-23941, CVE-2026-23942, CVE-2026-23943, ERIERL-1303, ERIERL-1305, GH-10694, PR-10707, PR-10798, PR-10809, PR-10811, PR-10813, PR-10825, PR-10833 System: OTP Release: 28 Application: crypto-5.8.3, inets-9.6.1, kernel-10.6.1, ssh-5.5.1, ssl-11.5.3 Predecessor: OTP 28.4 ``` Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp\_patch\_apply' tool. For information on install requirements, see descriptions for each application version below. ### crypto-5.8.3 The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fix memory leak in `crypo:engine_load` if called with incorrect commands. Own Id: OTP-20014\ Related Id(s): [PR-10798] > #### Full runtime dependencies of crypto-5.8.3 > > erts-9.0, kernel-6.0, stdlib-3.9 ### inets-9.6.1 The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability Own Id: OTP-20007\ Related Id(s): [PR-10833], [CVE-2026-23941] > #### Full runtime dependencies of inets-9.6.1 > > erts-14.0, kernel-9.0, mnesia-4.12, public\_key-1.13, runtime\_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0 ### kernel-10.6.1 The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet\_dns\_tsig module that leads to a validation bypass. If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed. The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen. Own Id: OTP-20012\ Related Id(s): [PR-10825] > #### Full runtime dependencies of kernel-10.6.1 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0 ### ssh-5.5.1 Note! The ssh-5.5.1 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependency has to be satisfied: -- crypto-5.7 (first satisfied in OTP 28.1) ``` #### Fixed Bugs and Malfunctions - Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research. Own Id: OTP-20009\ Related Id(s): [PR-10811], [CVE-2026-23942] - Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and '<[email protected]>' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory. The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research Own Id: OTP-20011\ Related Id(s): [PR-10813], [CVE-2026-23943] > #### Full runtime dependencies of ssh-5.5.1 > > crypto-5.7, erts-14.0, kernel-10.3, public\_key-1.6.1, runtime\_tools-1.15.1, stdlib-5.0, stdlib-6.0 ### ssl-11.5.3 Note! The ssl-11.5.3 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependencies have to be satisfied: -- crypto-5.8 (first satisfied in OTP 28.3) -- public_key-1.18.3 (first satisfied in OTP 28.1) ``` #### Fixed Bugs and Malfunctions - TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients. Own Id: OTP-20022\ Related Id(s): ERIERL-1305, [GH-10694], [PR-10707] #### Improvements and New Features - Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions. Own Id: OTP-20018\ Related Id(s): ERIERL-1303, [PR-10809] > #### Full runtime dependencies of ssl-11.5.3 > > crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public\_key-1.18.3, runtime\_tools-1.15.1, stdlib-7.0 ### Thanks to Alexander Clouter, Hewwho [cve-2026-23941]: https://nvd.nist.gov/vuln/detail/CVE-2026-23941 [cve-2026-23942]: https://nvd.nist.gov/vuln/detail/CVE-2026-23942 [cve-2026-23943]: https://nvd.nist.gov/vuln/detail/CVE-2026-23943 [gh-10694]: https://github.com/erlang/otp/issues/10694 [pr-10707]: https://github.com/erlang/otp/pull/10707 [pr-10798]: https://github.com/erlang/otp/pull/10798 [pr-10809]: https://github.com/erlang/otp/pull/10809 [pr-10811]: https://github.com/erlang/otp/pull/10811 [pr-10813]: https://github.com/erlang/otp/pull/10813 [pr-10825]: https://github.com/erlang/otp/pull/10825 [pr-10833]: https://github.com/erlang/otp/pull/10833 ### [`v28.4`](https://github.com/erlang/otp/releases/tag/OTP-28.4): OTP 28.4 [Compare Source](https://github.com/erlang/otp/compare/OTP-28.3.3...OTP-28.4) ``` Patch Package: OTP 28.4 Git Tag: OTP-28.4 Date: 2026-03-04 Trouble Report Id: OTP-16607, OTP-19824, OTP-19860, OTP-19886, OTP-19892, OTP-19901, OTP-19904, OTP-19905, OTP-19907, OTP-19908, OTP-19911, OTP-19913, OTP-19914, OTP-19920, OTP-19923, OTP-19928, OTP-19937, OTP-19939, OTP-19940, OTP-19941, OTP-19948, OTP-19950, OTP-19951, OTP-19952, OTP-19959, OTP-19972, OTP-19973, OTP-19974, OTP-19976, OTP-19977, OTP-19979, OTP-19987, OTP-19988, OTP-19989, OTP-19990, OTP-19992, OTP-19998, OTP-20006 Seq num: ERIERL-1251, ERIERL-1264, ERIERL-1283, GH-10351, GH-10371, GH-10470, GH-10474, GH-10494, GH-10495, GH-10501, GH-10513, GH-10567, GH-10652, GH-10698, GH-10705, GH-9681, OTP-16608, PR-10271, PR-10385, PR-10434, PR-10438, PR-10451, PR-10469, PR-10484, PR-10486, PR-10496, PR-10512, PR-10521, PR-10522, PR-10536, PR-10537, PR-10546, PR-10550, PR-10576, PR-10583, PR-10586, PR-10588, PR-10599, PR-10602, PR-10623, PR-10624, PR-10625, PR-10630, PR-10655, PR-10665, PR-10668, PR-10672, PR-10673, PR-10675, PR-10678, PR-10684, PR-10708, PR-10714, PR-10723, PR-10752, PR-9695 System: OTP Release: 28 Application: asn1-5.4.3, common_test-1.30, compiler-9.0.5, crypto-5.8.2, diameter-2.6.1, erl_interface-5.6.4, erts-16.3, et-1.7.3, eunit-2.10.2, inets-9.6, kernel-10.6, megaco-4.8.3, mnesia-4.25.2, observer-2.18.2, odbc-2.16.1, parsetools-2.7.1, public_key-1.20.2, reltool-1.0.3, runtime_tools-2.3.1, sasl-4.3.1, snmp-5.20.1, ssh-5.5, ssl-11.5.2, stdlib-7.3, syntax_tools-4.0.3, tools-4.1.4, wx-2.5.4, xmerl-2.1.9 Predecessor: OTP 28.3.3 ``` Check out the git tag OTP-28.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp\_patch\_apply' tool. For information on install requirements, see descriptions for each application version below. ### HIGHLIGHTS - Added support for the PQC key exchange (kex) algorithm mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519. Own Id: OTP-19824\ Application(s): ssh\ Related Id(s): [PR-10512], [PR-10655] - Added `persistent_term:put_new/2` that will quickly do nothing if a term with the given name and value already exists, and raise a `badarg` exception if the term exists with a different value. Own Id: OTP-19908\ Application(s): erts\ Related Id(s): [GH-9681], [PR-9695] ### POTENTIAL INCOMPATIBILITIES - Added a new HttpOption `{autoretry, timeout()}` to `httpc:request/4,5`. This option allows the client to decide how to act upon receiving a Retry-After response header. The default behavior changes, as now only one retry is made before returning the error code, instead of retrying infinitely. Own Id: OTP-19892\ Application(s): inets\ Related Id(s): ERIERL-1283, [PR-10469] ### OTP-28.4 #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] - The GH Actions CI forbids non-maintainers to commit `*.beam` files to the Erlang/OTP repo Own Id: OTP-19923\ Related Id(s): [PR-10550] - Updated `openssl` from `3.6.0` to `3.6.1`. This change does not perform any changes in the `md5` vendor implementation from `openssl`. The change merges upstream cosmetic changes from `openssl`. This is necessary to automatically migrate cleanly to the next `openssl` version without conflicts with upstream. Own Id: OTP-19959\ Related Id(s): [PR-10630] - The removal of the [`slave`] and [`slave`] modules have been postponed to Erlang/OTP 31. The partial removal of the archive feature has been postponed to Erlang/OTP 30. Own Id: OTP-19989\ Related Id(s): [PR-10714] ### asn1-5.4.3 The asn1-5.4.3 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of asn1-5.4.3 > > erts-14.0, kernel-9.0, stdlib-5.0 ### common\_test-1.30 The common\_test-1.30 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Added documentation about the behavior of `ct:comment/1` and `ct:comment/2` when executed from processes other than the process running test functions. Own Id: OTP-19913\ Related Id(s): ERIERL-1264, [PR-10271] #### Improvements and New Features - Updated jquery to 4.0.0 Own Id: OTP-19972\ Related Id(s): [PR-10623], [PR-10624], [PR-10625], [PR-10665] - The removal of the [`slave`] and [`slave`] modules have been postponed to Erlang/OTP 31. The partial removal of the archive feature has been postponed to Erlang/OTP 30. Own Id: OTP-19989\ Related Id(s): [PR-10714] > #### Full runtime dependencies of common\_test-1.30 > > compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime\_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax\_tools-1.7, tools-3.2, xmerl-1.3.8 ### compiler-9.0.5 The compiler-9.0.5 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fixed a compiler alias analysis bug that could generate unsafe code for repeated binary segments. Own Id: OTP-19951\ Related Id(s): [PR-10588] > #### Full runtime dependencies of compiler-9.0.5 > > crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0 ### crypto-5.8.2 The crypto-5.8.2 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fixed `crypto:crypto_one_time_aead/4`, which could crash the runtime system if invoked in parallel with the same state. Own Id: OTP-19973\ Related Id(s): [GH-10652], [PR-10668] > #### Full runtime dependencies of crypto-5.8.2 > > erts-9.0, kernel-6.0, stdlib-3.9 ### diameter-2.6.1 The diameter-2.6.1 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of diameter-2.6.1 > > erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0 ### erl\_interface-5.6.4 The erl\_interface-5.6.4 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Updated `openssl` from `3.6.0` to `3.6.1`. This change does not perform any changes in the `md5` vendor implementation from `openssl`. The change merges upstream cosmetic changes from `openssl`. This is necessary to automatically migrate cleanly to the next `openssl` version without conflicts with upstream. Own Id: OTP-19959\ Related Id(s): [PR-10630] #### Known Bugs and Problems - The `ei` API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled. Own Id: OTP-16607\ Related Id(s): OTP-16608 ### erts-16.3 The erts-16.3 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fixed a documentation build warning when one or more applications failed their configure step and were skipped. Own Id: OTP-19914\ Related Id(s): ERIERL-1251, [PR-10537] - The (IPv6) flowinfo control message header was not properly supported. Own Id: OTP-19977 - Fixed NetBSD thread naming, using `pthread_setname_np()`; used for debugging. Own Id: OTP-19987\ Related Id(s): [PR-10684] #### Improvements and New Features - The `erlang:link_option/0` type is now exported. Own Id: OTP-19904\ Related Id(s): [PR-10451] - Added `persistent_term:put_new/2` that will quickly do nothing if a term with the given name and value already exists, and raise a `badarg` exception if the term exists with a different value. Own Id: OTP-19908\ Related Id(s): [GH-9681], [PR-9695] \*\*\* HIGHLIGHT \*\*\* - The `manifest.xml` file for the Windows build now has version numbers updated to correctly report OS versions on Windows 10, 11, Server 2016, 2019, 2022. Own Id: OTP-19920\ Related Id(s): [GH-10371], [PR-10546] - Improved yielding inside `re:run`. Regular expressions searching for *one* specific byte character could spin in `memchr()` without any yielding or reduction counting. Own Id: OTP-19950\ Related Id(s): [PR-10486] - Updated `openssl` from `3.6.0` to `3.6.1`. This change does not perform any changes in the `md5` vendor implementation from `openssl`. The change merges upstream cosmetic changes from `openssl`. This is necessary to automatically migrate cleanly to the next `openssl` version without conflicts with upstream. Own Id: OTP-19959\ Related Id(s): [PR-10630] - Updated `ryu` implementation used to convert floats to strings. Own Id: OTP-19974\ Related Id(s): [PR-10672] - Upgraded `asmjit` to `v1.18` Own Id: OTP-19979\ Related Id(s): [PR-10675] - Updated zlib to version 1.3.2. Own Id: OTP-19998\ Related Id(s): [PR-10752] > #### Full runtime dependencies of erts-16.3 > > kernel-9.0, sasl-3.3, stdlib-4.1 ### et-1.7.3 The et-1.7.3 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of et-1.7.3 > > erts-9.0, kernel-5.3, runtime\_tools-1.10, stdlib-3.4, wx-1.2 ### eunit-2.10.2 The eunit-2.10.2 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of eunit-2.10.2 > > erts-9.0, kernel-5.3, stdlib-6.0 ### inets-9.6 The inets-9.6 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] - Added a new HttpOption `{autoretry, timeout()}` to `httpc:request/4,5`. This option allows the client to decide how to act upon receiving a Retry-After response header. The default behavior changes, as now only one retry is made before returning the error code, instead of retrying infinitely. Own Id: OTP-19892\ Related Id(s): ERIERL-1283, [PR-10469] \*\*\* POTENTIAL INCOMPATIBILITY \*\*\* - Httpc will not add a Content-Length header for requests, that do not have defined semantics for request content in [RFC9110] and do not include content. The list includes methods: `[GET, HEAD, OPTIONS, TRACE, DELETE]`. The behavior for `headers_as_is` option remains unchanged. Own Id: OTP-19928\ Related Id(s): [GH-10513], [PR-10521] - Improved documentation and specs for `do/1` callback in httpd module. Own Id: OTP-19952\ Related Id(s): [GH-10501], [PR-10602] > #### Full runtime dependencies of inets-9.6 > > erts-14.0, kernel-9.0, mnesia-4.12, public\_key-1.13, runtime\_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0 ### kernel-10.6 The kernel-10.6 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - The built in DNS resolver `inet_res` has been fixed to do a final request assuming that the request name is absolute, as customary for many DNS resolver client libraries. Own Id: OTP-19937\ Related Id(s): [GH-10494], [PR-10576] #### Improvements and New Features - Added support for `zstd` compression in the [`file`] module. Own Id: OTP-19860\ Related Id(s): [PR-10385] - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of kernel-10.6 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0 ### megaco-4.8.3 The megaco-4.8.3 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of megaco-4.8.3 > > asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime\_tools-1.8.14, stdlib-2.5 ### mnesia-4.25.2 The mnesia-4.25.2 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of mnesia-4.25.2 > > erts-9.0, kernel-5.3, stdlib-5.0 ### observer-2.18.2 The observer-2.18.2 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of observer-2.18.2 > > erts-15.0, et-1.5, kernel-10.0, runtime\_tools-2.1, stdlib-5.0, wx-2.3 ### odbc-2.16.1 The odbc-2.16.1 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Corrected specs to eliminate Dialyzer warnings for applications. Own Id: OTP-19992\ Related Id(s): [PR-10678] > #### Full runtime dependencies of odbc-2.16.1 > > erts-6.0, kernel-3.0, stdlib-2.0 ### parsetools-2.7.1 The parsetools-2.7.1 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - The documentation for the `token/3` and `tokens/3` functions was corrected. The return value when there were too few characters is `{more,Cont}`. Own Id: OTP-19901\ Related Id(s): [PR-10484] > #### Full runtime dependencies of parsetools-2.7.1 > > erts-6.0, kernel-3.0, stdlib-3.4 ### public\_key-1.20.2 Note! The public\_key-1.20.2 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependency has to be satisfied: -- crypto-5.8 (first satisfied in OTP 28.3) ``` #### Fixed Bugs and Malfunctions - Added missing mapping for der\_encode/decode to handle 'OCSPRequest'. Own Id: OTP-19905\ Related Id(s): [GH-10474], [PR-10522] - `public_key:pkix_crl_verify/2` now handles certificates with EdDSA keys correctly instead of causing a runtime error. Own Id: OTP-19907\ Related Id(s): [GH-10495], [PR-10496] > #### Full runtime dependencies of public\_key-1.20.2 > > asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0 ### reltool-1.0.3 The reltool-1.0.3 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of reltool-1.0.3 > > erts-15.0, kernel-9.0, sasl-4.2.1, stdlib-5.0, tools-2.6.14, wx-2.3 ### runtime\_tools-2.3.1 The runtime\_tools-2.3.1 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of runtime\_tools-2.3.1 > > erts-16.0, kernel-10.0, mnesia-4.12, stdlib-6.0 ### sasl-4.3.1 The sasl-4.3.1 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of sasl-4.3.1 > > erts-15.0, kernel-6.0, stdlib-4.0, tools-2.6.14 ### snmp-5.20.1 The snmp-5.20.1 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of snmp-5.20.1 > > asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime\_tools-1.8.14, stdlib-5.0 ### ssh-5.5 Note! The ssh-5.5 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependency has to be satisfied: -- crypto-5.7 (first satisfied in OTP 28.1) ``` #### Fixed Bugs and Malfunctions - The type specification for the `CbInitArgs` parameter in `ssh_client_channel:start/4` and `ssh_client_channel:start_link/4` has been relaxed from `[term()]` to `term()`. This eliminates false Dialyzer warnings when passing non-list arguments (such as maps or atoms) to these functions. This change is backward compatible as `term()` includes `[term()`]. Own Id: OTP-19976\ Related Id(s): [GH-10351], [PR-10673] #### Improvements and New Features - Added support for the PQC key exchange (kex) algorithm mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519. Own Id: OTP-19824\ Related Id(s): [PR-10512], [PR-10655] \*\*\* HIGHLIGHT \*\*\* > #### Full runtime dependencies of ssh-5.5 > > crypto-5.7, erts-14.0, kernel-10.3, public\_key-1.6.1, runtime\_tools-1.15.1, stdlib-5.0, stdlib-6.0 ### ssl-11.5.2 Note! The ssl-11.5.2 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependencies have to be satisfied: -- crypto-5.8 (first satisfied in OTP 28.3) -- public_key-1.18.3 (first satisfied in OTP 28.1) ``` #### Fixed Bugs and Malfunctions - TLS servers that have `early_data` disabled will no longer include the `early_data` extension in its session tickets. Own Id: OTP-19940\ Related Id(s): [GH-10567], [PR-10583] - `ssl:connection_information/2` will now return correct information for TLS-1.2 session resumption. Own Id: OTP-19941\ Related Id(s): [GH-10470], [PR-10586] - When performing renegotiation, in TLS-1.2 or earlier, \`max\_frag\_length\` will no longer be renegotiated. Instead, the connection will adhere to its originally negotiated value, and if a value was not negotiated it will not be negotiated. Own Id: OTP-19948\ Related Id(s): [PR-10599] - The NSS Keylogging refactoring mixed up of Read and Write connection states, could cause wrong NSS keylog labels, or `{error, closed}` returned without keylog. Own Id: OTP-19990\ Related Id(s): [GH-10698], [PR-10723] #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of ssl-11.5.2 > > crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public\_key-1.18.3, runtime\_tools-1.15.1, stdlib-7.0 ### stdlib-7.3 Note! The stdlib-7.3 application *cannot* be applied independently of other applications on an arbitrary OTP 28 installation. ``` On a full OTP 28 installation, also the following runtime dependency has to be satisfied: -- erts-16.0.3 (first satisfied in OTP 28.0.3) ``` #### Fixed Bugs and Malfunctions - Fixed functions `ets:init_table/2`, `ets:tab2file/2,3`, `ets:table/1,2`, `ets:i/0,1`, `dets:from_ets/2`, and `dets:to_ets/2` to resolve named table arguments only once. This will prevent strange effects if the named table is deleted and recreated by a concurrent process. Own Id: OTP-19911\ Related Id(s): [PR-10536] - Corrected the `af_zip_generator()` type in the parser and `syntax_tools`. Own Id: OTP-19939 - For a function that started with a bracket-only pattern (such as `[]`), the `?FUNCTION_ARITY` macro would evaluate to one less than the actual arity. Own Id: OTP-19988\ Related Id(s): [GH-10705], [PR-10708] #### Improvements and New Features - Added support for `zstd` compression in the [`file`] module. Own Id: OTP-19860\ Related Id(s): [PR-10385] - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] - The removal of the [`slave`] and [`slave`] modules have been postponed to Erlang/OTP 31. The partial removal of the archive feature has been postponed to Erlang/OTP 30. Own Id: OTP-19989\ Related Id(s): [PR-10714] > #### Full runtime dependencies of stdlib-7.3 > > compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax\_tools-3.2.1 ### syntax\_tools-4.0.3 The syntax\_tools-4.0.3 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Corrected the `af_zip_generator()` type in the parser and `syntax_tools`. Own Id: OTP-19939 #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of syntax\_tools-4.0.3 > > compiler-9.0, erts-16.0, kernel-10.3, stdlib-7.0 ### tools-4.1.4 The tools-4.1.4 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of tools-4.1.4 > > compiler-8.5, erts-15.0, erts-15.0, kernel-10.0, runtime\_tools-2.1, stdlib-6.0 ### wx-2.5.4 The wx-2.5.4 application can be applied independently of other applications on a full OTP 28 installation. #### Improvements and New Features - Release applications, tests, and documentation are now placed in their respective directories. Source SBOM with more packages. A `make release` application places only the necessary code in the release folder. The main change is that the documentation and examples are not part of the release folder anymore. `make release_docs` places the documentation in the released code under the `doc` folder. `make release_tests` places the tests in their own directory. It used to be the case that some source code was mixed with the tests, and this should not happen anymore. The Software Bill of Materials places the examples folders as if they are part of the `SPDX-otp-<app>-doc` packge, instead of placing examples as if they were running source code. Overall, this change cleans up many things that were not quite correct by definition, and everything should still continue to work as expected. To test a release, one can still run `./Install -minimal \`pwd\``and add the release to the`PATH`. After that, one can run tests as usual, going into the released tests directory, entering `test\_server\` and running the emulator. Improves the source Software-Bill-of-Materials - The improvements adds new SPDX relations for `asmjit` and `zlib` to be `optional_components_of` the Erlang/OTP project. - The `autoconf` scripts in `make` and `erts` have now been categorised as `build_tool_of` the Erlang/OTP project. - All remaining `configure`, `configure.ac`, `config.h.in`, `Makefile.in`, `Makefile.src`, `EMakefile`, and `GNUMakefile` are now part of a specific SPDX package with relation `build_tool_of` the Erlang/OTP project. Own Id: OTP-19886\ Related Id(s): [PR-10434] > #### Full runtime dependencies of wx-2.5.4 > > erts-12.0, kernel-8.0, stdlib-5.0 ### xmerl-2.1.9 The xmerl-2.1.9 application can be applied independently of other applications on a full OTP 28 installation. #### Fixed Bugs and Malfunctions - Fixed license headers and links in documentation. Own Id: OTP-20006\ Related Id(s): [PR-10438] > #### Full runtime dependencies of xmerl-2.1.9 > > erts-6.0, kernel-8.4, stdlib-2.5 ### Thanks to Benjamin Philip, Dmytro Lytovchenko, Jan Uhlig, Jonatan Männchen, Luke Bakken, Maria Scott, Mend Renovate, Nelson Vides, Robert Gionea, ryan-duve, Stavros Aronis, Stefan Grundmann, wallacegibbon [gh-10351]: https://github.com/erlang/otp/issues/10351 [gh-10371]: https://github.com/erlang/otp/issues/10371 [gh-10470]: https://github.com/erlang/otp/issues/10470 [gh-10474]: https://github.com/erlang/otp/issues/10474 [gh-10494]: https://github.com/erlang/otp/issues/10494 [gh-10495]: https://github.com/erlang/otp/issues/10495 [gh-10501]: https://github.com/erlang/otp/issues/10501 [gh-10513]: https://github.com/erlang/otp/issues/10513 [gh-10567]: https://github.com/erlang/otp/issues/10567 [gh-10652]: https://github.com/erlang/otp/issues/10652 [gh-10698]: https://github.com/erlang/otp/issues/10698 [gh-10705]: https://github.com/erlang/otp/issues/10705 [gh-9681]: https://github.com/erlang/otp/issues/9681 [pr-10271]: https://github.com/erlang/otp/pull/10271 [pr-10385]: https://github.com/erlang/otp/pull/10385 [pr-10434]: https://github.com/erlang/otp/pull/10434 [pr-10438]: https://github.com/erlang/otp/pull/10438 [pr-10451]: https://github.com/erlang/otp/pull/10451 [pr-10469]: https://github.com/erlang/otp/pull/10469 [pr-10484]: https://github.com/erlang/otp/pull/10484 [pr-10486]: https://github.com/erlang/otp/pull/10486 [pr-10496]: https://github.com/erlang/otp/pull/10496 [pr-10512]: https://github.com/erlang/otp/pull/10512 [pr-10521]: https://github.com/erlang/otp/pull/10521 [pr-10522]: https://github.com/erlang/otp/pull/10522 [pr-10536]: https://github.com/erlang/otp/pull/10536 [pr-10537]: https://github.com/erlang/otp/pull/10537 [pr-10546]: https://github.com/erlang/otp/pull/10546 [pr-10550]: https://github.com/erlang/otp/pull/10550 [pr-10576]: https://github.com/erlang/otp/pull/10576 [pr-10583]: https://github.com/erlang/otp/pull/10583 [pr-10586]: https://github.com/erlang/otp/pull/10586 [pr-10588]: https://github.com/erlang/otp/pull/10588 [pr-10599]: https://github.com/erlang/otp/pull/10599 [pr-10602]: https://github.com/erlang/otp/pull/10602 [pr-10623]: https://github.com/erlang/otp/pull/10623 [pr-10624]: https://github.com/erlang/otp/pull/10624 [pr-10625]: https://github.com/erlang/otp/pull/10625 [pr-10630]: https://github.com/erlang/otp/pull/10630 [pr-10655]: https://github.com/erlang/otp/pull/10655 [pr-10665]: https://github.com/erlang/otp/pull/10665 [pr-10668]: https://github.com/erlang/otp/pull/10668 [pr-10672]: https://github.com/erlang/otp/pull/10672 [pr-10673]: https://github.com/erlang/otp/pull/10673 [pr-10675]: https://github.com/erlang/otp/pull/10675 [pr-10678]: https://github.com/erlang/otp/pull/10678 [pr-10684]: https://github.com/erlang/otp/pull/10684 [pr-10708]: https://github.com/erlang/otp/pull/10708 [pr-10714]: https://github.com/erlang/otp/pull/10714 [pr-10723]: https://github.com/erlang/otp/pull/10723 [pr-10752]: https://github.com/erlang/otp/pull/10752 [pr-9695]: https://github.com/erlang/otp/pull/9695 [rfc9110]: https://datatracker.ietf.org/doc/html/rfc9110 [`file`]: https://erlang.org/doc/man/file [`slave`]: https://erlang.org/doc/man/slave </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone Pacific/Auckland, Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone Pacific/Auckland. 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://harton.dev/james/vivid_png/pulls/122 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

zuiderkwast · 2026-03-23T19:54:29Z

Thanks for fixing non-blocking send (send_timeout 0). I have two questions:

In which OTP version (and ssl app version) was this bug / behavior change introduced?
Is there any other way to get non-blocking send in ssl? Does it work to use the socket backend and get RestData back? Wouldn't that already be encrypted so the ssl:send would need to be aware of that?

If you simply add a function like ssl:send_rest_data, then I would use it. :)

zuiderkwast · 2026-03-23T20:38:12Z

FWIW, I tried using {inet_backend, socket} with ssl:connect in OTP 28.3.x.

Erlang/OTP 28 [erts-16.1.2] [source] [64-bit] [smp:14:14] [ds:14:14:10] [async-threads:1] [jit] [dtrace]

Eshell V16.1.2 (press Ctrl+G to abort, type help(). for help)
1> ssl:connect("127.0.0.1", 12345, [{inet_backend, socket}, {send_timeout, 0}, {verify, verify_none}]).
{error,{badarg,"gen_tcp:connect(\"127.0.0.1\", 12345, [{send_timeout,0},{inet_backend,socket}], infinity)"}}

ssl appears to reorder the options before passing them to gen_tcp:connect.

The gen_tcp manual has a note that says this option has to be first:

Functions that create sockets can take an optional option; {inet_backend, Backend} that, if specified, has to be the first option.

IngelaAndin · 2026-03-24T06:58:40Z

@zuiderkwast The behavior changed in OTP-28 track. It is not expected to work as ssl:send is not a byte-shuffling operation.
It only works with the inet-driver as it always buffers everything and hence will only return {error, timeout} and never return any "RestData". This however is a implementation detail and something that you should not rely on (although some people do and we just restored the behavior to give them time to solve thier problem better). So the data will eventually be sent unless you send so much that VM runs in to OOM-problems. This will not work with the socket_backend that does not buffer any data.

When ssl uses socket sockets it can itself handle RestData but the user can not. In the future we might introduce an asynchronous ssl:send operation that will then work regardless of the transport protocol used, this is normally TCP but it does not have to be. It does not normally make sense to use underlaying transport specific configurations when configuring TLS
as we also clarified in the documentation in this PR.

zuiderkwast · 2026-03-24T09:35:19Z

Thanks Ingela.

(although some people do and we just restored the behavior to give them time to solve thier problem better)

By "solve their problem better", you mean using a proxy-process for blocking send?

It's the only alternative I can see, because closing the connection when the send buffer is full is not an option when you send a stream of (potentially) non-idempotent commands to some server.

When I learned about non-blocking send, I thought it's genious and wanted to start using it everywhere instead of send proxy processes. It's like the send counterpart of active mode. Using a separate send processes for every TCP/TLS connection unnecessary complex. Instead of a single gen-server, you now need a supervision tree and various interactions between the processes.

When ssl uses socket sockets it can itself handle RestData but the user can not.

In which way? Does it make ssl:send blocking or send it to gen_tcp in the background? Does ssl:send still return ok? That means the caller doesn't get any back pressure indication to hold off sending more data.

Btw, are there any plans to make ssl work with the {inet_backend, socket} option? Currently it just returns badarg, as mentioned above.

In the future we might introduce an asynchronous ssl:send operation that will then work regardless of the transport protocol used

Looking forward to this!

It would be very good to get back pressure to the caller so it can backoff the sending, wait for some responses (if it's a request-response protocol) before trying again. This back pressure is exactly what the old {error, timeout} is.

JeppeTh · 2026-03-24T09:55:23Z

Yes - if that backend ever is removed an alternative solution is required.

We use this non-blocking send mechanism as an overload protection - i.e. when send buffer gets full we start to drop signals.

We don't want socket to be terminated nor some extra send process that blocks and builds queue.

IngelaAndin · 2026-03-24T10:02:33Z

@zuiderkwast It does work with the inet_backend if you ensure that will be first (for instance only inet option) or if the list happens to be reversed reverse it. But I can agree that we should make sure it is first your welcome to fix it with a PR.

Better as in not relying on something that will not work in the common case. And it might be a while until inet-driver is removed, and best end solution might be using new functionality.

zuiderkwast · 2026-03-24T12:58:12Z

@IngelaAndin Here is a PR fixing the reversed options:

ssl: Preserve inet option order in emulated_options #10908

ssl: Retain backwards compatibility for the inet-driver

0afc302

IngelaAndin self-assigned this Mar 6, 2026

IngelaAndin added the team:PS Assigned to OTP team PS label Mar 6, 2026

IngelaAndin requested review from dgud and u3s March 6, 2026 09:44

IngelaAndin requested a review from rickard-green March 6, 2026 09:45

u3s requested changes Mar 6, 2026

View reviewed changes

u3s reviewed Mar 6, 2026

View reviewed changes

IngelaAndin force-pushed the ingela/ssl/backwards-inet-compat/OTP-20018 branch 2 times, most recently from fa6394d to 969cf5e Compare March 6, 2026 13:18

ssl: Retain some backwards compatibility for inet driver behaviour

108e8d0

Buy time for people that might have relied on this behavior for better solutions to be crated.

IngelaAndin force-pushed the ingela/ssl/backwards-inet-compat/OTP-20018 branch from 969cf5e to 108e8d0 Compare March 6, 2026 13:39

IngelaAndin requested a review from u3s March 6, 2026 13:56

IngelaAndin added the testing currently being tested, tag is used by OTP internal CI label Mar 6, 2026

u3s approved these changes Mar 6, 2026

View reviewed changes

IngelaAndin merged commit 94221d4 into erlang:maint Mar 9, 2026
25 checks passed

Conversation

IngelaAndin commented Mar 6, 2026

Uh oh!

github-actions bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CT Test Results

Artifacts

Uh oh!

u3s left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

zuiderkwast commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

zuiderkwast commented Mar 23, 2026

Uh oh!

IngelaAndin commented Mar 24, 2026

Uh oh!

zuiderkwast commented Mar 24, 2026

Uh oh!

JeppeTh commented Mar 24, 2026

Uh oh!

IngelaAndin commented Mar 24, 2026

Uh oh!

zuiderkwast commented Mar 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

github-actions bot commented Mar 6, 2026 •

edited

Loading

zuiderkwast commented Mar 23, 2026 •

edited

Loading