Interesting... I don't see the issue now either. It was very concerning when I did see it though, as it looked like a source was hacked.
On Wed, Sep 24, 2025 at 1:36 AM Manuel Traut <[email protected]> wrote: > Control: tags 1115987 = moreinfo unreproducible > > Hi Jesse, > > thanks for your report. > > Am 2025-09-22 20:50, schrieb Jesse Cooke: > > Package: cozy > > Severity: normal > > X-Debbugs-Cc: [email protected] > > > > Dear Maintainer, > > > > When I ran `sudo apt update` this morning I saw the following error: > > > > ``` > > ➜ sudo apt update > > [sudo: authenticate] Password: > > Hit:1 http://deb.debian.org/debian testing InRelease > > Hit:2 http://security.debian.org/debian-security testing-security > > InRelease > > Hit:3 http://deb.debian.org/debian testing-updates InRelease > > Entity: line 4: parser error : xmlParseEntityRef: no name > > ZhengMa, WuBi, ErBi, CangJie, &. But some tables for other > > ^ > > Entity: line 8: parser error : Opening and ending tag mismatch: li line > > 8 and root > > <li>Lots of emojis</root> > > ^ > > Entity: line 5: parser error : xmlParseEntityRef: no name > > <li>Listen to your DRM free mp3, m4b, m4a (aac, ALAC, &), flac, ogg > > and wav au > > ^ > > 254 packages can be upgraded. Run 'apt list --upgradable' to see them. > > ``` > > On a new install of Debian 13 and an upgrade to 'testing' the issue > doesn't appear. > > > I used the following commands to track down the specific source > > > > ``` > > ➜ sudo apt update -o Debug::pkgAcquire::Worker=1 2>&1 | grep -B10 -A2 > > "xmlParseEntityRef" > > <- > > http:102%20Status%0aMessage:%20Waiting%20for%20headers%0aURI:%20 > http://deb.debian.org/debian/dists/testing-updates/InRelease > > <- > > > http:201%20URI%20Done%0aIMS-Hit:%20true%0aLast-Modified:%20Mon,%2022%20Sep%202025%2014:12:38%20+0000%0aFilename:%20/var/lib/apt/lists/partial/deb.debian.org_debian_dists_testing-updates_InRelease%0aURI:%20 > http://deb.debian.org/debian/dists/testing-updates/InRelease > > Hit:2 http://deb.debian.org/debian testing-updates InRelease > > <- > > > http:201%20URI%20Done%0aIMS-Hit:%20true%0aLast-Modified:%20Mon,%2022%20Sep%202025%2018:04:47%20+0000%0aFilename:%20/var/lib/apt/lists/partial/security.debian.org_debian-security_dists_testing-security_InRelease%0aURI:%20 > http://security.debian.org/debian-security/dists/testing-security/InRelease > > Hit:3 http://security.debian.org/debian-security testing-security > > InRelease > > <- > > > sqv:201%20URI%20Done%0aSigned-By:%2004B54C3CDCA79751B16BC6B5225629DF75B188BD%0a%20B8B80B5B623EAB6AD8775C45B7C5D7D6350947F8%0aFilename:%20/var/lib/apt/lists/deb.debian.org_debian_dists_testing_InRelease%0aURI:%20sqv:/var/lib/apt/lists/deb.debian.org_debian_dists_testing_InRelease > > -> > > > sqv:600%20URI%20Acquire%0aURI:%20sqv:/var/lib/apt/lists/deb.debian.org_debian_dists_testing-updates_InRelease%0aFilename:%20/var/lib/apt/lists/deb.debian.org_debian_dists_testing-updates_InRelease%0aTarget-Type:%20index%0aTarget-Release:%20testing-updates%0aTarget-Repo-URI:%20 > http://deb.debian.org/debian/%0aTarget-Base-URI:%20http://deb.debian.org/debian/dists/testing-updates/%0aTarget-Site:%20http://deb.debian.org/debian%0aIndex-File:%20true%0aMaximum-Size:%2010000000%0aLast-Modified:%20Mon,%2022%20Sep%202025%2014:12:38%20GMT%0aFail-Ignore:%20true%0aSigned-By:%20/usr/share/keyrings/debian-archive-keyring.gpg%0a%0a > > <- > > > sqv:201%20URI%20Done%0aSigned-By:%2004B54C3CDCA79751B16BC6B5225629DF75B188BD%0a%20B8B80B5B623EAB6AD8775C45B7C5D7D6350947F8%0aFilename:%20/var/lib/apt/lists/deb.debian.org_debian_dists_testing-updates_InRelease%0aURI:%20sqv:/var/lib/apt/lists/deb.debian.org_debian_dists_testing-updates_InRelease > > -> > > > sqv:600%20URI%20Acquire%0aURI:%20sqv:/var/lib/apt/lists/security.debian.org_debian-security_dists_testing-security_InRelease%0aFilename:%20/var/lib/apt/lists/security.debian.org_debian-security_dists_testing-security_InRelease%0aTarget-Type:%20index%0aTarget-Release:%20testing-security%0aTarget-Repo-URI:%20 > http://security.debian.org/debian-security/%0aTarget-Base-URI:%20http://security.debian.org/debian-security/dists/testing-security/%0aTarget-Site:%20http://security.debian.org/debian-security%0aIndex-File:%20true%0aMaximum-Size:%2010000000%0aLast-Modified:%20Mon,%2022%20Sep%202025%2018:04:47%20GMT%0aFail-Ignore:%20true%0aSigned-By:%20/usr/share/keyrings/debian-archive-keyring.gpg%0a%0a > > <- > > > sqv:201%20URI%20Done%0aSigned-By:%2005AB90340C0C5E797F44A8C8254CF3B5AEC0A8F0%0a%205E04A1E3223A19A20706E20F9904613D4CCE68C6%0aFilename:%20/var/lib/apt/lists/security.debian.org_debian-security_dists_testing-security_InRelease%0aURI:%20sqv:/var/lib/apt/lists/security.debian.org_debian-security_dists_testing-security_InRelease > > Entity: line 4: parser error : xmlParseEntityRef: no name > > ZhengMa, WuBi, ErBi, CangJie, &. But some tables for other > > ^ > > Entity: line 8: parser error : Opening and ending tag mismatch: li line > > 8 and root > > <li>Lots of emojis</root> > > ^ > > Entity: line 5: parser error : xmlParseEntityRef: no name > > <li>Listen to your DRM free mp3, m4b, m4a (aac, ALAC, &), flac, ogg > > and wav au > > > > ``` > > The ampersand isn't in upstream, nor in Debian: > https://sources.debian.org/src/cozy/1.3.0-3/README.md#L26 > > > ``` > > ➜ bash -c 'for f in /var/lib/apt/lists/*Components*.gz; do > > echo "=== $f ===" > > zcat "$f" | grep -A5 -B5 "ZhengMa\\|DRM free" 2>/dev/null || echo > > "Not found" > > done' > > === > > > /var/lib/apt/lists/deb.debian.org_debian_dists_testing_main_dep11_Components-amd64.yml.gz > > > === > > Nor on the origin of the file, try: > > $ curl > > https://ftp.debian.org/debian/dists/testing/main/dep11/Components-amd64.yml.gz > 2> /dev/null | zcat | grep -A5 -B5 "ZhengMa\\|DRM free" > > > <p>Cozy is a audio book player. Here are some of the features:</p> > > > > <ul> > > <li>Import all your audio books into Cozy to browse them > > comfortably</li> > > <li>Listen to your DRM free mp3, m4b, m4a (aac, ALAC, &), flac, > > ogg and wav audio books</li> > > <li>Remembers your playback position</li> > > <li>Sleep timer</li> > > <li>Playback speed control for each book individually</li> > > <li>Search your library</li> > > <li>Multiple storage location support</li> > > -- > > C: Table based input method > > pt-PT: Tabela baseada no modo de entrada > > Description: > > ca: >- > > <p>Ibus-table és un marc de treball de mètode d'entrada per als > > mètodes d'entrada basats en taules. Sobretot s'utilitza per als mètodes > > d'entrada xinesos com ara ZhengMa, WuBi, ErBi, CangJie, &. No > > obstant això, també hi ha disponible algunes taules per a altres > > idiomes.</p> > > tr: >- > > <p>Ibus-table, tablo tabanlı giriş yöntemleri için bir giriş > > yöntemi çerçevesidir. Çoğunlukla ZhengMa, WuBi, ErBi, CangJie, ... gibi > > Çince > > giriş yöntemleri için kullanılır. Ancak diğer diller için de > > kullanılabilir bazı tablolar bulunmaktadır.</p> > > fr: >- > > <p>Ibus-table est un cadriciel pour les méthodes de saisie basées > > sur des tables. Il est principalement utilisé pour les méthodes de > > saisie > > Chinoises telles que ZhengMa, Wubizixing, ErBi, CangJie… Mais des > > tables pour d’autres langues sont également disponibles.</p> > > de: >- > > <p>Ibus-table ist eine Inputsystem für tabellenbasierte > > Inputmethoden. Es wird hauptsächlich für chinesiche Inputmethoden wie > > ZhengMa, > > WuBi, ErBi, CangJie usw. benutzt. Aber es gibt auch einige Tabellen > > für andere Sprachen.</p> > > pt-BR: >- > > <p>Ibus-table é uma framework de método de entrada para métodos de > > entrada baseados em tabela. É usado principalmente para métodos de > > entrada chineses, como ZhengMa, WuBi, ErBi, CangJie, &. Mas algumas > > tabelas para outros idiomas também estão disponíveis.</p> > > uk: >- > > <p>Ibus-table >болонка Aпособів 2ведення Aимволів 7а 4опомогою > > Bаблиці. дебільшого 2икористовується 4ля Aпособів 2ведення Aимволів > > :итайської, 7окрема ZhengMa, WuBi, ErBi, CangJie, & ле ?ередбачено > > V Bаблиці 4ля 4еяких Vнших <ов.</p> > > zh-Hans-CN: >- > > <p>Ibus-table > > /个适用于码表输入法的输入法框架。通常用在中文输入法上,比如郑码、五笔、二笔、仓颉等等……但也有其他语言的码表使用此框架。</p> > > ru: >- > > <p>Ibus-table - Mто Dреймворк Aпособов 2вода Aимволов >снованных =а > > Bаблицах. >сновном 8спользуется 4ля <етодов 2вода :итайских Aимволов, > > Bаких :ак ZhengMa, WuBi, ErBi, CangJie, &. о Bакже 4оступны > > =екоторые Bаблицы 4ля 4ругих Oзыков.</p> > > es: >- > > <p>Ibus-table es un marco común para métodos de entrada basados en > > tablas. Se usa sobre todo para métodos de entrada de chino, como > > ZhengMa, > > WuBi, ErBi o CangJie, aunque también hay tablas para otros > > idiomas.</p> > > pt-PT: >- > > <p>Tabela Ibus é uma estrutura de método de entrada para métodos de > > entrada baseados em tabela. É utilizado principalmente para os métodos > > de entrada chineses, tais como ZhengMa, WuBi, ErBi, CangJie, &. Mas > > também estão disponíveis algumas tabelas para outros idiomas.</p> > > C: >- > > <p> > > Ibus-table is an input method framework for table-based input > > methods. Mostly it is used for Chinese input methods such as > > ZhengMa, WuBi, ErBi, CangJie, &. But some tables for other > > languages are available as well. > > </p> > > Developer: > > id: io.github.mike-fabian > > name: > > === > > > /var/lib/apt/lists/deb.debian.org_debian_dists_testing_non-free-firmware_dep11_Components-amd64.yml.gz > > > === > > ``` > > > > It looks like the cozy README is the problem? > > Here is the current line, which does not quite match the error because > > I'm guessing the ... is being converted to an &. > > > https://github.com/geigi/cozy/blob/0be2d30e0743ebf27ff272c8c074591418e4f2cc/README.md#L28 > > cozy is in the same version in multiple Debian suites. I don't expect it > is the root of this problem. > Also I cannot reproduce it and don't see the relevant characters in > upstream or the Components.gz on the Debian mirrors. > >
