I have confirmed debootstrap 1.0.101 is unaffected, so I am using this version in the mean time.
Okay, so thinking about it I think inserting debootstrap.invalid in the sources.list was a pretty good way of doing it for the case of anything that isn't an http/https mirror. Can we do that instead of the current patch? Cheers!