Fallback to alternate Debian mirrors on apt failure

When apt-get update fails, switch from disabling hash verification/insecure repos to trying a list of alternate Debian mirrors. Updated misc/build.func to iterate a curated mirror list, rewrite /etc/apt/sources.list* to point to each mirror, and attempt apt-get update/install until one succeeds (exiting with failure if all mirrors fail). Updated misc/install.func to perform a similar mirror-rotation loop and return an error if no mirror succeeds. Also adjusted warning/error messages to reflect the new behavior. This improves resilience against repo desyncs without enabling insecure apt settings.

misc/build.func

@@ -4601,20 +4601,47 @@ EOF'
     fi
 
     pct exec "$CTID" -- bash -c "apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1" || {
-      msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
+      msg_warn "apt-get update failed, trying alternate mirrors..."
       pct exec "$CTID" -- bash -c '
         APT_BASE="sudo curl mc gnupg2 jq"
+        MIRRORS="
+          ftp.debian.org
+          ftp.us.debian.org
+          ftp.de.debian.org
+          ftp.fr.debian.org
+          ftp.nl.debian.org
+          ftp.uk.debian.org
+          ftp.ch.debian.org
+          ftp.se.debian.org
+          ftp.it.debian.org
+          ftp.au.debian.org
+          ftp.jp.debian.org
+          ftp.ca.debian.org
+          debian.csail.mit.edu
+          mirrors.ocf.berkeley.edu
+          mirrors.wikimedia.org
+          debian.osuosl.org
+          mirror.cogentco.com
+          ftp.fau.de
+          ftp.halifax.rwth-aachen.de
+          debian.mirror.lrz.de
+          mirror.init7.net
+          debian.ethz.ch
+          mirrors.dotsrc.org
+          debian.mirrors.ovh.net
+          mirror.aarnet.edu.au
+        "
         echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-        echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash
-        rm -rf /var/lib/apt/lists/*
-        apt-get update --allow-insecure-repositories >/dev/null 2>&1 && \
-          apt-get install -y --allow-unauthenticated $APT_BASE >/dev/null 2>&1
-        ret=$?
-        # Restore secure settings
-        echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-        rm -rf /var/lib/apt/lists/*
-        apt-get update >/dev/null 2>&1 || true
-        exit $ret
+        for mirror in $MIRRORS; do
+          for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
+            [ -f "$src" ] && sed -i "s|URIs: http[s]*://[^/]*/|URIs: https://${mirror}/|g; s|deb http[s]*://[^/]*/|deb https://${mirror}/|g" "$src"
+          done
+          rm -rf /var/lib/apt/lists/*
+          if apt-get update >/dev/null 2>&1 && apt-get install -y $APT_BASE >/dev/null 2>&1; then
+            exit 0
+          fi
+        done
+        exit 1
       ' || {
         msg_error "apt-get base packages installation failed"
         exit 1

misc/install.func

@@ -201,15 +201,50 @@ pkg_update() {
   case "$PKG_MANAGER" in
   apt)
     if ! $STD apt-get update; then
-      msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
+      msg_warn "apt-get update failed, trying alternate mirrors..."
+      local mirrors="
+        ftp.debian.org
+        ftp.us.debian.org
+        ftp.de.debian.org
+        ftp.fr.debian.org
+        ftp.nl.debian.org
+        ftp.uk.debian.org
+        ftp.ch.debian.org
+        ftp.se.debian.org
+        ftp.it.debian.org
+        ftp.au.debian.org
+        ftp.jp.debian.org
+        ftp.ca.debian.org
+        debian.csail.mit.edu
+        mirrors.ocf.berkeley.edu
+        mirrors.wikimedia.org
+        debian.osuosl.org
+        mirror.cogentco.com
+        ftp.fau.de
+        ftp.halifax.rwth-aachen.de
+        debian.mirror.lrz.de
+        mirror.init7.net
+        debian.ethz.ch
+        mirrors.dotsrc.org
+        debian.mirrors.ovh.net
+        mirror.aarnet.edu.au
+      "
       echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
-      echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/99no-by-hash
-      rm -rf /var/lib/apt/lists/*
-      $STD apt-get update --allow-insecure-repositories
-      # Restore secure settings
-      echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
-      rm -rf /var/lib/apt/lists/*
-      $STD apt-get update || true
+      local apt_ok=false
+      for mirror in $mirrors; do
+        for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
+          [[ -f "$src" ]] && sed -i "s|URIs: http[s]*://[^/]*/|URIs: https://${mirror}/|g; s|deb http[s]*://[^/]*/|deb https://${mirror}/|g" "$src"
+        done
+        rm -rf /var/lib/apt/lists/*
+        if $STD apt-get update; then
+          apt_ok=true
+          break
+        fi
+      done
+      if [[ "$apt_ok" != true ]]; then
+        msg_error "All mirrors failed. Check network or try again later."
+        return 1
+      fi
     fi
     ;;
   apk)