diff --git a/misc/build.func b/misc/build.func
index 0995a444..92b370f5 100644
--- a/misc/build.func
+++ b/misc/build.func
@@ -4601,52 +4601,20 @@ EOF'
     fi
 
     pct exec "$CTID" -- bash -c "apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1" || {
-      msg_warn "apt-get base packages failed, retrying with by-hash bypass and alternate mirror..."
+      msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
       pct exec "$CTID" -- bash -c '
         APT_BASE="sudo curl mc gnupg2 jq"
-        apt_retry() {
-          rm -rf /var/lib/apt/lists/*
-          apt-get update >/dev/null 2>&1 && apt-get install -y $APT_BASE >/dev/null 2>&1
-        }
-
-        # Retry 1: Disable by-hash (stale CDN by-hash index)
         echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-        apt_retry && exit 0
-
-        # Retry 2: Switch to country mirror (may lag behind primary)
-        for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-          [ -f "$src" ] && sed -i "s|deb.debian.org|ftp.de.debian.org|g" "$src"
-        done
-        apt_retry && exit 0
-
-        # Retry 3: Wait 30s for mirror sync, try original mirror
-        sleep 30
-        for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-          [ -f "$src" ] && sed -i "s|ftp.de.debian.org|deb.debian.org|g" "$src"
-        done
-        apt_retry && exit 0
-
-        # Retry 4: Temporarily allow hash mismatch (Release/Packages desync)
         echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash
-        for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-          [ -f "$src" ] && sed -i "s|deb.debian.org|ftp.debian.org|g" "$src"
-        done
         rm -rf /var/lib/apt/lists/*
-        if apt-get update --allow-insecure-repositories >/dev/null 2>&1; then
+        apt-get update --allow-insecure-repositories >/dev/null 2>&1 && \
           apt-get install -y --allow-unauthenticated $APT_BASE >/dev/null 2>&1
-          ret=$?
-          # Restore secure settings immediately
-          echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-          for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-            [ -f "$src" ] && sed -i "s|ftp.debian.org|deb.debian.org|g" "$src"
-          done
-          rm -rf /var/lib/apt/lists/*
-          apt-get update >/dev/null 2>&1 || true
-          [ $ret -eq 0 ] && exit 0
-        fi
-        # Cleanup on failure
+        ret=$?
+        # Restore secure settings
         echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-        exit 1
+        rm -rf /var/lib/apt/lists/*
+        apt-get update >/dev/null 2>&1 || true
+        exit $ret
       ' || {
         msg_error "apt-get base packages installation failed"
         exit 1
diff --git a/misc/install.func b/misc/install.func
index 41016f9d..c24dd7ec 100644
--- a/misc/install.func
+++ b/misc/install.func
@@ -201,39 +201,15 @@ pkg_update() {
   case "$PKG_MANAGER" in
   apt)
     if ! $STD apt-get update; then
-      msg_warn "apt-get update failed, retrying with by-hash bypass and alternate mirror..."
+      msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
+      echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
+      echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/99no-by-hash
+      rm -rf /var/lib/apt/lists/*
+      $STD apt-get update --allow-insecure-repositories
+      # Restore secure settings
       echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
       rm -rf /var/lib/apt/lists/*
-      if ! $STD apt-get update; then
-        # Retry with country mirror
-        for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-          [[ -f "$src" ]] && sed -i 's|deb.debian.org|ftp.de.debian.org|g' "$src"
-        done
-        rm -rf /var/lib/apt/lists/*
-        if ! $STD apt-get update; then
-          # Wait for mirror sync, try original
-          sleep 30
-          for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-            [[ -f "$src" ]] && sed -i 's|ftp.de.debian.org|deb.debian.org|g' "$src"
-          done
-          rm -rf /var/lib/apt/lists/*
-          if ! $STD apt-get update; then
-            # Last resort: temporarily allow insecure repos
-            msg_warn "All mirrors have hash mismatch, temporarily relaxing APT verification..."
-            echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/99no-by-hash
-            for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-              [[ -f "$src" ]] && sed -i 's|deb.debian.org|ftp.debian.org|g' "$src"
-            done
-            rm -rf /var/lib/apt/lists/*
-            $STD apt-get update --allow-insecure-repositories
-            # Restore secure settings immediately
-            echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
-            for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-              [[ -f "$src" ]] && sed -i 's|ftp.debian.org|deb.debian.org|g' "$src"
-            done
-          fi
-        fi
-      fi
+      $STD apt-get update || true
     fi
     ;;
   apk)
diff --git a/tools/pve/update-lxcs-cron.sh b/tools/pve/update-lxcs-cron.sh
index 0cc99607..1f35d341 100644
--- a/tools/pve/update-lxcs-cron.sh
+++ b/tools/pve/update-lxcs-cron.sh
@@ -36,40 +36,15 @@ function update_container() {
   archlinux) pct exec "$container" -- bash -c "pacman -Syyu --noconfirm" ;;
   fedora | rocky | centos | alma) pct exec "$container" -- bash -c "dnf -y update && dnf -y upgrade" ;;
   ubuntu | debian | devuan) pct exec "$container" -- bash -c '
-    apt_update_ok=false
-    apt-get update && apt_update_ok=true
-    if [ "$apt_update_ok" = false ]; then
+    apt-get update || {
       echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-      rm -rf /var/lib/apt/lists/*
-      apt-get update && apt_update_ok=true
-    fi
-    if [ "$apt_update_ok" = false ]; then
-      for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-        [ -f "$src" ] && sed -i "s|deb.debian.org|ftp.de.debian.org|g" "$src"
-      done
-      rm -rf /var/lib/apt/lists/*
-      apt-get update && apt_update_ok=true
-    fi
-    if [ "$apt_update_ok" = false ]; then
-      sleep 30
-      for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-        [ -f "$src" ] && sed -i "s|ftp.de.debian.org|deb.debian.org|g" "$src"
-      done
-      rm -rf /var/lib/apt/lists/*
-      apt-get update && apt_update_ok=true
-    fi
-    if [ "$apt_update_ok" = false ]; then
       echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash
-      for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-        [ -f "$src" ] && sed -i "s|deb.debian.org|ftp.debian.org|g" "$src"
-      done
       rm -rf /var/lib/apt/lists/*
       apt-get update --allow-insecure-repositories
       echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
-      for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
-        [ -f "$src" ] && sed -i "s|ftp.debian.org|deb.debian.org|g" "$src"
-      done
-    fi
+      rm -rf /var/lib/apt/lists/*
+      apt-get update || true
+    }
     DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" dist-upgrade -y
     rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED' ;;
   opensuse) pct exec "$container" -- bash -c "zypper ref && zypper --non-interactive dup" ;;