It's dead, Jim! (UEFI CA expiry)
Summary
This article reports on the expiry of the old Microsoft UEFI CA (2011) used for signing option ROMs and other software, and the swift response from Debian and others to roll out dual-signed shim binaries. It highlights the ongoing Secure Boot CA rollover process, the update cadence, and the importance of applying patched shims and firmware to avoid boot failures.