--- a/make_mirror.sh
+++ b/make_mirror.sh
@@ -564,6 +564,8 @@ for dist in stable testing unstable; do
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
+# workaround for https://bugs.debian.org/953588
+sed -i 's/apt-get update/apt-get -o Acquire::Languages=none update/' /usr/sbin/debootstrap
 debootstrap --no-merged-usr --variant=$variant $dist /tmp/debian-$dist-debootstrap $mirror
 tar --sort=name --mtime=@$SOURCE_DATE_EPOCH --clamp-mtime --numeric-owner --one-file-system --xattrs -C /tmp/debian-$dist-debootstrap -c . > "$newcache/debian-$dist-$variant.tar"
 rm -r /tmp/debian-$dist-debootstrap
--- a/coverage.sh
+++ b/coverage.sh
@@ -251,6 +251,31 @@ else
 	echo no difference for /etc/shadow- on $dist $variant >&2
 fi
 
+# Since 1.0.120 debootstrap unconditionally adds a security mirror
+if ! cmp /tmp/debian-$dist-debootstrap/etc/apt/sources.list /tmp/debian-$dist-mm/etc/apt/sources.list; then
+	case $dist in
+		stable)
+			echo 'deb http://security.debian.org/debian-security $dist/updates main' >> /tmp/debian-$dist-mm/etc/apt/sources.list
+			rm /tmp/debian-$dist-debootstrap/var/lib/apt/lists/security.debian.org_debian-security_dists_${dist}_updates_InRelease
+			rm /tmp/debian-$dist-debootstrap/var/lib/apt/lists/security.debian.org_debian-security_dists_${dist}_updates_main_binary-${HOSTARCH}_Packages
+			;;
+		testing)
+			echo 'deb http://security.debian.org/debian-security $dist-security main' >> /tmp/debian-$dist-mm/etc/apt/sources.list
+			rm /tmp/debian-$dist-debootstrap/var/lib/apt/lists/security.debian.org_debian-security_dists_${dist}-security_InRelease
+			;;
+	esac
+	case $dist in
+		stable|testing)
+			rm /tmp/debian-$dist-debootstrap/var/cache/apt/archives/lock
+			rm /tmp/debian-$dist-debootstrap/var/cache/apt/pkgcache.bin
+			rm /tmp/debian-$dist-debootstrap/var/cache/apt/srcpkgcache.bin
+			rmdir /tmp/debian-$dist-debootstrap/var/lib/apt/lists/auxfiles
+			rm /tmp/debian-$dist-debootstrap/var/lib/apt/lists/lock
+			;;
+		*) echo "$dist does not match stable|testing" >&2 ;;
+	esac
+fi
+
 # check if the file content differs
 diff --no-dereference --recursive /tmp/debian-$dist-debootstrap /tmp/debian-$dist-mm
 
