Patch Package OTP 28.5 Released

Erlang/OTP otp@REDACTED
Thu Apr 23 17:22:36 CEST 2026 

Patch Package:           OTP 28.5
Git Tag:                 OTP-28.5
Date:                    2026-04-23
Trouble Report Id:       OTP-16607, OTP-19162, OTP-19967, OTP-20038,
                         OTP-20043, OTP-20082, OTP-20094, OTP-20098,
                         OTP-20101, OTP-20106
Seq num:                 GH-10667, GH-10812, GH-10915, GH-10967,
                         OTP-16608, PR-10431, PR-10881, PR-10908,
                         PR-10924, PR-10957, PR-10976, PR-11002,
                         PR-11045
System:                  OTP
Release:                 28
Application:             erl_interface-5.7, erts-16.4, mnesia-4.25.3,
                         ssl-11.6
Predecessor:             OTP 28.4.3

Check out the git tag OTP-28.5, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.

# HIGHLIGHTS

- There is a new "Secure Coding Guidelines" document in Design Principles
  describing how to write secure Erlang code.

  Own Id: OTP-20043
  Application(s): otp
  Related Id(s): PR-10431

# OTP-28.5

## Improvements and New Features

- There is a new "Secure Coding Guidelines" document in Design Principles
  describing how to write secure Erlang code.

  Own Id: OTP-20043
  Related Id(s): PR-10431

  *** HIGHLIGHT ***

# erl_interface-5.7

The erl_interface-5.7 application can be applied independently of other
applications on a full OTP 28 installation.

## Improvements and New Features

- A new `configure` option `--{enable,disable}-use-embedded-3pp-alternatives`
  has been added. When _enabled_, `configure` is forced to find alternatives, to
  a subset, of the embedded third-party products (_3pps_) in the runtime system,
  and when _disabled_, `configure` will use all internal embedded 3pps.
  Currently this option affects `zstd`, `zlib`, `ryu` (with `STL`), `openssl`
  and `tcl`. The default is to use all built-in embedded 3pps except for `zlib`
  which by default will use `zlib` on the OS if available.

  Requirements for alternatives:

  - `zstd` - Static library and include files of at least version 1.5.6 needs to
    be available.
  - `zlib` - Library and include files of at least version 1.2.5 needs to be
    available.
  - `ryu` (with `STL`) - A usable C++ compiler with C++17 support.
  - `openssl` - No requirements. Our own MD5 implementation will be used.
  - `tcl` - The `strerrorname_np()` function (introduced in glibc 2.32) mapping
    errno integers to symbolic names needs to be available.

  The argument `embedded_3pps` has been added to erlang:system_info/1. It
  returns a map with information about the use of embedded 3pps in the runtime
  system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

## Known Bugs and Problems

- The `ei` API for decoding/encoding terms is not fully 64-bit compatible since
  terms that have a representation on the external term format larger than 2 GB
  cannot be handled.

  Own Id: OTP-16607
  Related Id(s): OTP-16608

# erts-16.4

The erts-16.4 application can be applied independently of other applications on
a full OTP 28 installation.

## Fixed Bugs and Malfunctions

- Fixed bug in `enif_make_map_from_arrays` for arrays with at least 33 keys. If
  duplicate keys existed, instead of failing, it would skip the duplicates. If
  less than 33 unique keys existed, an internally inconsistent and broken map
  was returned.

  Own Id: OTP-20098
  Related Id(s): PR-10976

- Fixed an issue when supplying the args_file option to erl.exe on windows that
  did not handle unicode characters correctly.

  Own Id: OTP-20101
  Related Id(s): GH-10667

## Improvements and New Features

- A new `configure` option `--{enable,disable}-use-embedded-3pp-alternatives`
  has been added. When _enabled_, `configure` is forced to find alternatives, to
  a subset, of the embedded third-party products (_3pps_) in the runtime system,
  and when _disabled_, `configure` will use all internal embedded 3pps.
  Currently this option affects `zstd`, `zlib`, `ryu` (with `STL`), `openssl`
  and `tcl`. The default is to use all built-in embedded 3pps except for `zlib`
  which by default will use `zlib` on the OS if available.

  Requirements for alternatives:

  - `zstd` - Static library and include files of at least version 1.5.6 needs to
    be available.
  - `zlib` - Library and include files of at least version 1.2.5 needs to be
    available.
  - `ryu` (with `STL`) - A usable C++ compiler with C++17 support.
  - `openssl` - No requirements. Our own MD5 implementation will be used.
  - `tcl` - The `strerrorname_np()` function (introduced in glibc 2.32) mapping
    errno integers to symbolic names needs to be available.

  The argument `embedded_3pps` has been added to erlang:system_info/1. It
  returns a map with information about the use of embedded 3pps in the runtime
  system.

  Own Id: OTP-20106
  Related Id(s): PR-11045

> #### Full runtime dependencies of erts-16.4
>
> kernel-9.0, sasl-3.3, stdlib-4.1

# mnesia-4.25.3

The mnesia-4.25.3 application can be applied independently of other applications
on a full OTP 28 installation.

## Fixed Bugs and Malfunctions

- Added documentation for `user_properties` and functions
  `read_table_property/2`, `write_table_property/2`, `delete_table_property`.
  Enhanced documentation for `frag_properties`.

  Own Id: OTP-20038
  Related Id(s): GH-10812, PR-10881

- Fixed a bug where stacktrace was not returned from mnesia:transaction/1 when
  transaction aborts with an error exception.

  Own Id: OTP-20094
  Related Id(s): GH-10967, PR-11002

> #### Full runtime dependencies of mnesia-4.25.3
>
> erts-9.0, kernel-5.3, stdlib-5.0

# ssl-11.6

Note! The ssl-11.6 application _cannot_ be applied independently of other
applications on an arbitrary OTP 28 installation.

       On a full OTP 28 installation, also the following runtime
       dependencies have to be satisfied:
       -- crypto-5.8 (first satisfied in OTP 28.3)
       -- public_key-1.20.3 (first satisfied in OTP 28.4.2)

## Fixed Bugs and Malfunctions

- Preserve inet option order, as inet_backend option must be first option. Will
  make inet_backend option work for ssl independently of number of inet supplied
  options.

  Own Id: OTP-19162
  Related Id(s): PR-10908

- Missing conformance check for signature algorithms in TLS-1.3 could cause
  selection of incompatible certificate when a server is configured with more
  than one possible certificate.

  Own Id: OTP-20082
  Related Id(s): GH-10915, PR-10924

## Improvements and New Features

- Avoid unnecessary memory consumption for temporary processes in a supervision
  tree.

  Own Id: OTP-19967
  Related Id(s): PR-10957

> #### Full runtime dependencies of ssl-11.6
>
> crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3,
> runtime_tools-1.15.1, stdlib-7.0

# Thanks to

felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William
Yang

More information about the erlang-announce mailing list