Comment 11 for bug 306356

Ah, yes, the sources.list after an installation that doesn't use hardy-proposed has the following in it:

  # deb http://us.archive.ubuntu.com/ubuntu hardy-security main restricted
  deb http://192.168.1.210:3142/ubuntu hardy-security main restricted
  deb-src http://192.168.1.210:3142/ubuntu hardy-security main restricted

which indicates it initially used $MIRROR, then later used $SECMIRROR.