Noticed this on my fresh install from today's version of Axzez OMV. /etc/apt/sources.list uses `deb http://ftp.us.debian.org/debian bullseye main contrib non-free non-free-firmware` , which
doesn't have certificate checks to ensure the source (it's insecure)
is specific to the US.
Much better to use
deb https://deb.debian.org/debian bullseye main contrib non-free non-free-firmware
That's the fast.ly CDN mirror for debian packages, always using a local endpoint and protected by HTTPS.
We feel that Debian packages are signed, so it good and acceptable to get from plain http sources. We will use deb.debian.org/debian instead of the ftp.us url, though. Of course, once you have the OS, you may manipulate source.list however you like.
I will pass along your comments to the team. We appreciate your feedback!