Why is dietpi trying to connect to Russia mirror.truenetwork.ru during apt update? dietpi.com hacked?

pied-stuff · 14 May 2026 21:28

Why is dietpi trying to connect to Russia mirror.truenetwork.ru during apt update?

Only used dietpi-config to install anything.

Good thing I have .ru blocked on pihole

nothing in the apt list files?

/etc/apt/sources.list.d# grep -R "^deb " /etc/apt/
/etc/apt/sources.list.d/dietpi.list:deb <https://dietpi.com/apt> bookworm main-armv6
/etc/apt/sources.list.d/dietpi.list:deb <https://dietpi.com/apt> all rpi
/etc/apt/sources.list.d/raspi.list:deb <https://archive.raspberrypi.com/debian> bookworm main
/etc/apt/sources.list:deb <http://raspbian.raspberrypi.com/raspbian> bookworm main contrib non-free

echo "$G_DIETPI_VERSION_CORE.$G_DIETPI_VERSION_SUB.$G_DIETPI_VERSION_RC"
"10.3.3"

Distro: Raspbian GNU/Linux 12 (bookworm)
Kernel: 6.18.23+ (#1972 Tue Apr 21 14:47:32 BST 2026)
Arch: armv6l
Version=252.39-1\~deb12u1+rpi1

I have used apt update with dietpi 12 bookworm fine, until today.

E: Failed to fetch http://mirror.truenetwork.ru/raspbian/raspbian/pool/main/n/nghttp2/libnghttp2-14_1.52.0-1+deb12u3_armhf.deb  Could not connect to mirror.truenetwork.ru:80 (0.0.0.0). - connect (111: Connection refused) Could not connect to mirror.truenetwork.ru:80 (::). - connect (111: Connection refused)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

@MichaIng @Joulinar

MichaIng · 14 May 2026 22:51

The http://raspbian.raspberrypi.com/raspbian APT repo is a mirror director, so it connects to any next repository mirror it finds suitable based on your location or IP. If your are located in or close to Russia, the location of the mirror.truenetwork.ru mirror might be best, regarding latency and bandwidth.

This is not managed by us, but by Raspbian and/or Raspberry Pi Ltd.

Also note that, even if you do not trust *.ru domains in general, APT repositories cannot be compromised without the private signing key, for which you have the public component stored in /etc/apt/trusted.gpg.d/. APT pulls https://mirror.truenetwork.ru/raspbian/raspbian/dists/bookworm/InRelease in a first step, and verifies the authenticity of this file by its embedded signature and the key on your system. Only if that matches, it pulls the package lists, based on your architecture and selected components, and compares the hashes with those in the InRelease. The package lists again contain hashes for the individual packages, which need to match as well before packages are installed. This chain guarantees integrity and authenticity of packages, as long as the public key on your system is correct, and the private signing key of the organization (Raspbian in this case) has not been stolen.

Also note that, while there are reasons to not trust Russian government and anything related since their attack on Ukraine, or earlier, not all Russian people and organizations are implicitly untrustworthy. There is an opposition, or at least opposing thoughts and actors, even if heavily suppressed, and there are people and organizations which are just acting entirely unrelated to political actions, living their lives and doing their thing. Most Russian people are just victims as well, even if many may not realize it, as of heavy censorship and propaganda.

pied-stuff · 14 May 2026 23:05

Not sure why http://raspbian.raspberrypi.com/raspbian is picking russia, my server is in the middle of the USA? This should not happen, and needs to be fixed.

Here’s how to fix it:

sudo find /etc/apt -type f -exec sed -i 's|http://raspbian.raspberrypi.com/raspbian|https://mirror.umd.edu/raspbian/raspbian|g' {} +

Nothing against the russian people, but F*ck Putin!

MichaIng · 14 May 2026 23:18

WAAAIT, you are breaking your system!! Do not switch from Raspbian to Debian, these are different architectures, ARMv6 vs ARMv7, incompatible!

See here the list of explicit Raspbian mirrors to choose from: RaspbianMirrors - Raspbian
There you also see the Russian mirrors.
Some can be also selected via dietpi-config network options: misc.

I don’t know how the mirror director MirrorBrain works, probably its GeoIP is inaccurate. Even if it would have been compromised, and that mirror as well, your APT would just throw a signature validation error and not download anything else from it.

Right, hence I would not claim Truenetwork or any other Russian mirror operator from the Raspbian mirror list to be untrustworthy, or unfit to host a Raspbian mirror. They do host open source software for people in and around Russia, which is generally a good thing, and the Debian APT package manager works a way that mirror operators do not even need to be trusted, to prevent system compromise even if any of them is hacked, or turning evil.

pied-stuff · 14 May 2026 23:26

Fixed above cmd to use https://mirror.umd.edu/raspbian/raspbian

Joulinar · 15 May 2026 05:13

As said by @MichaIng we don’t manage these servers or mirrors. You would need to get in touch with Raspberry Pi guys.

MichaIng · 16 May 2026 10:15

Raspbian guys to be more precise:
raspbian.raspberrypi.com is a CNAME for mirrordirector.raspbian.org managed by the Raspbian project, which is independent from Raspberry Pi Foundation or Ltd.

However, we probably discussed it to a point of understanding, that this is not objectively wrong, but technically sane and safe. Compare this to NASA astronauts still, and all this time, launching from Baikonur with Soyuz rockets to ISS, except the months their only operational launchpad was broken. Nothing is fully independent of or beyond political matter. But these are cooperations with in case individual people involved, who know and trust each other enough, and maybe longer than probably sooner than later ending regimes going crazy. And I do not want to start talking about what vast parts of the world think about the current POTUS.

Anyway, enough political matters, just wanted to make clear not to generalise from a country’s government to all its people and organisations. But if you have still concerns in this particular case => RaspbianIRC - Raspbian

maltris · 16 May 2026 10:32

Nah, I think the Raspi project can do very well without any mirrors of the russian federation. I quickly chip in because I noticed the same thing and the utter unreliability of the mirror named in the entry post. Switched to something that actually is in proximity, netcologne. Until they fix the director, thats the only useful way.

Thanks for your attention to this matter (lol)

MichaIng · 16 May 2026 11:07

Sure, they can do very will without any US mirror as well. I mean in this case, a Russian mirror was successfully used by a US client. This is about sharing bandwidth with other organizations around the world, and providing higher bandwidth and lower latency for everyone around the world … if GeoIP or whichever mechanism to choose the mirror works well (here it seems to have been very off ).

So, an IMO reasonable request would be to maybe update GeoIP databases, or review the mechanism of the mirror director, but not to ban this or that ccTLDs for political reasons.

urostor · 18 May 2026 20:28

Interesting conversation.

If I may interject: information has no country. You’re not “supporting Putin” by just existing on the same planet as him.